CBG Logo




Compliance Alert

# 2012-10


 Compliance Alert 2012-10



After several years during which the Department of Health and Human Services (HHS) operated essentially in "complaint-driven" mode with respect to enforcement of the HIPAA Privacy and Security Rules, recent activity suggests a trend toward stricter HIPAA enforcement.  The latest evidence comes in a recently-announced settlement between HHS and the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, MEEI).


In this settlement, MEEI has agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule.  MEEI also agreed to develop a corrective action plan that includes reviewing and revising its existing Security Rule policies and procedures and retaining an independent monitor for a three-year period to conduct semi-annual assessments of MEEI's compliance with the corrective action plan and report back to HHS.


HHS began its investigation of MEEI after MEEI submitted a breach report, as required by the HIPAA Breach Notification Rule.  The report indicated that an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects had been stolen.  The HHS investigation concluded that MEEI had failed to comply with certain requirements of the HIPAA Security Rule - particularly with respect to the confidentiality of ePHI maintained on portable devices - and that those failures had continued over an extended period of time.


The MEEI settlement is just the latest in a string of recent penalties and settlements stemming from alleged HIPAA privacy and security violations.  From 2003 through 2010, HHS reported that it had received nearly 58,000 privacy complaints and, of those, had resolved more than 52,000.  In fact, during this initial eight-year period after the HIPAA Privacy Rule went into effect, HHS did not impose a single civil monetary penalty for HIPAA violations. 


In February of 2011, however, HHS imposed a $4.3 million penalty against Cignet Health of Prince George's County, Maryland.  HHS found that Cignet had failed to respond to patients' requests for access to their medical records and that Cignet refused to cooperate in HHS's investigation.  Later that same month, Massachusetts General Hospital entered into a $1 million settlement with HHS arising out of an incident in which an employee left paper records containing the PHI of 192 patients, including patients with HIV/AIDS, on the subway.


The recent increase in enforcement efforts may be partially attributable to the fact that the available civil penalties increased dramatically as a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009.  The HITECH Act provides HHS with substantial leverage in settlement negotiations. 


These steep penalties and settlements should serve as a reminder of how important it is to comply with the HIPAA Privacy and Security Rules.  Health plan sponsors should review their existing policies and procedures and remain vigilant in their training of employees.


Julia M. Vander Weele, Partner
Spencer Fane Britt & Browne LLP

In This Issue
The "HIPAA Police" Are Here
Resource Library
Resource Library
Click HERE to link to the Compliance Alert Library.


Click HERE to link to the Healthcare Reform Update Library.
Click HERE to link to the Benefits & Employment Briefings Library.
Gordon M. Graffius, CLU, CEO
Bradly W. Graffius, CLU, RHU, President
Commonwealth Benefits Group
This notification is brought to you by your Commonwealth Benefits Group, a Member Firm of United Benefit Advisors - an alliance of more than 140 premier independent benefit advisory firms and one of the nation's five largest employee benefits advisory organizations - and Spencer Fane Britt & Browne LLP, with offices through the Midwest and more than a century of experience providing legal counsel. 

This publication is designed to provide accurate and authoritative information.  It is distributed with the understanding that the author, publisher and editors are not rendering legal or other professional advice or opinions on specific matters, and accordingly, assume no liability in connection with its use.  The choice of a lawyer is an important decision and should not be made solely upon advertisements.  Past results afford no guarantee of future results.  Every case is different and must be judged on its own merits.
CBG LogoUBA LogoSpencer Fane