Foster Swift Municipal Law News
As municipalities know, the federal HIPAA law provides federal protections for protected health information. HIPAA rules are detailed, complex, and extensive. Relevant here, HIPAA says that “covered entities” have to safeguard health information and spells out patients’ rights to that information. Municipalities should take note of a recent federal agency decision to levy a large fine – just over $4.3 million dollars – against a covered entity for violating patient rights under HIPAA.
The federal HIPAA regulations apply only to those entities defined in the regulations as “covered entities.” Covered entities under HIPAA are group and individual health care plans, clearinghouses, and providers who transmit health information electronically. Health insurance benefits that a municipality offers may be covered by HIPAA. In effect, that means that a municipality who provides health insurance benefits may have to follow the detailed HIPAA rules. Subject to certain exceptions, a federal rule (45 CFR 164.524) provides that an individual may access and inspect or copy his or her protected health information in a designated record set no later than 30 days (60 days for information that is not maintained or accessible to the covered entity on-site) after the covered entity’s receipt of the request.
Just recently, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) imposed a fine of over $4.3 million against Cignet Health of Prince George’s County in Maryland (Cignet), a Christian-influenced health center in Maryland. Forty-one patients had filed complaints with OCR after Cignet allegedly denied them access to their medical records. OCR investigated and determined that Cignet had indeed violated the patients’ rights by denying them access to their medical records.
Cignet’s violation of the rights of access played a large part in its fine, to be sure. But the size of Cignet’s total fine, it seems in no small part, was due to Cignet compounding that error: it repeatedly failed to respond to OCR requests to produce the records at issue, and failed to produce the records in response to an OCR subpoena. Cignet ultimately gave in, but the damage had already been done. The OCR determined that Cignet’s failure to cooperate was due to willful neglect and fined Cignet an additional $3 million, on top of $1.3 million for the improper denial of access.
This was the first civil monetary penalty the OCR has issued for violating the HIPAA privacy rules. And yet mere weeks after this penalty was issued, Massachusetts General Hospital (Mass General) was fined $1 million to settle a potential HIPAA violation case. That case arose when a hospital employee lost protected health information when commuting to work – apparently leaving 192 patient records on a subway train that were never recovered.
These results leave no doubt that the government is increasing its enforcement of the HIPAA privacy and security rules. Those organizations that are required to comply with HIPAA – including certain municipalities that offer employee health benefits – should review their policies and procedures to ensure that they are adequately protecting patient information.
If you would like assistance in developing or updating HIPAA policies and procedures, or have questions about whether your municipality is required to comply with HIPAA, please contact either Johanna M. Novak at 906.226.5501 or any other member of the Foster Swift Administrative & Municipal Team.