Feds cracking down on HIPAA violations

The U.S. Department of Health and Human Services (HHS) sent a message last week that it is serious about violations of the Health Insurance Portability and Accountability Act (HIPAA), hitting a major hospital and medical group with more than $5 million in fines and penalties.

The HHS Office for Civil Rights, which enforces HIPAA privacy rules, imposed a $4.3 million civil penalty on Cignet Health of Prince George’s County, Maryland, the first such penalty it has issued for patient privacy violations.

The investigation began after 41 patients complained that they were unable to get their medical records from the medical group. In a statement, HHS said Cignet refused to turn over the records or cooperate with its investigation, thus earning a $3 million penalty on top of the initial $1.3 million fine.

In a separate action, Massachusetts General Hospital has agreed to pay the U.S. government $1 million to settle potential violations of the HIPAA act. As part of the settlement, the hospital also promised to institute new policies to protect patients’ privacy.

HHS began investigating Mass General after a patient complained in 2009 that his or her protected health information had been lost. The investigation expanded to include 192 patients of the hospital’s Infectious Disease Associates outpatient practice, including those with HIV/AIDS. Information on 66 of the patients, including names, dates of birth, medical record numbers, health insurer and policy numbers, diagnoses, and names of providers, were lost when a Mass General employee left the information on a subway train.

“Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule,” HHS Secretary Kathleen Sebelius said in a press release.