The privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are critically important for employers to understand and comply with. In general, HIPAA requires that records containing individually identifiable health information are secure and only available to certain parties. Additionally, HIPAA also requires that privacy procedures are adopted and implemented to maintain secure health information, employees are trained to understand and follow privacy procedures, and individuals are notified about their privacy rights and how their health information can and will be used. 

The enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, a law which was enacted as part of and perhaps overshadowed by the American Recovery and Reinvestment Act of 2009 (ARRA), reinforced the importance of HIPAA privacy rules. HITECH expanded the authority of the Secretary of the Department of Health and Human Services (HHS) to impose civil monetary penalties on “covered entities” and “business associates” that violate HIPAA privacy and security standards. A “covered entity” includes any entity that is (1) a health care provider that conducts certain transactions in electronic form, (2) a health care clearinghouse, and/or (3) a health plan. An employer is not subject to HIPAA simply because it maintains individual health information; however, many employers are subject to HIPAA because an employer that self-insures its employees or manages a health reimbursement or employee assistance plan is subject to HIPAA as a health plan. A “business associate” is any entity that stores, processes, or otherwise manages a covered entity’s protected health information. For example, a software vendor or billing service may be a business associate if its activities involve the use of a covered entity’s protected health information.

Prior to 2009, HIPAA limited the Secretary’s authority to impose civil monetary penalties to not more than $100 for each violation, not to exceed $25,000 for all violations of an identical requirement or prohibition during a calendar year. With the enactment of HITECH, civil penalties increased greatly. Under HITECH, civil monetary penalties can be imposed based on the nature and extent of the HIPAA violation and the resulting harm, with corresponding tiers of increasing penalty amounts. For violations due to willful neglect that are not timely corrected, a penalty of $50,000 per day is the minimum penalty imposed for each violation, with a $1.5 million maximum for all such violations of an identical requirement or prohibition.

Recently, the HHS Office of Civil Rights (OCR) used its expanded power to impose over $5 million in fines on two entities for HIPAA privacy violations.

OCR assessed a $4,351,600 civil monetary penalty on a health center and insurer for denying 41 patients access to their medical records between September 2008 and October 2009, and for its willful neglect in not complying with OCR’s investigations from March 17, 2009 to April 7, 2010. HIPAA requires that covered entities furnish patients with a copy of their medical records within thirty days of their request, and in no case more than sixty days from the date of their request. For refusing patient access to medical records in violation of HIPAA, OCR imposed a total fine of $1,351,600. In addition, OCR found that not cooperating with OCR’s investigations for over a year constituted willful neglect in complying with the HIPAA privacy rule, which requires compliance with OCR’s investigations, and imposed an additional $3,000,000 penalty. Thus, a civil monetary penalty of $4,351,600 was imposed for HIPAA violations – approximately $106,000 for each of the 41 records not provided to patients.

In the same month, OCR assessed a $1,000,000 civil monetary penalty on a large hospital following an incident where a hospital employee left copies of protected health information for 192 patients away on a subway. One patient whose protected health information was lost filed a complaint with OCR. By not implementing reasonable and appropriate safeguards to ensure that protected health information remained private, the hospital violated the HIPAA privacy rules, and entered into a settlement with OCR for a $1,000,000 civil monetary penalty. In addition, under the settlement, the hospital is required develop and implement policies and procedures that ensure the protection of protected health information when such information is physically taken off its premises, train its personnel on these policies and procedures, and provide OCR with semi-annual reports for three years assessing its execution of these required privacy measures.

Thus, the significant monetary civil penalties imposed demonstrate OCR’s recent aggressive enforcement of HIPAA privacy rules. Although only covered entities have been hit with heavy civil monetary penalties thus far, business associates of covered entities are also subject to the enhanced enforcement powers of the OCR under HITECH. Employers of covered entities and business associates of covered entities should assess their exposure to HIPAA privacy violations and correct any potential issues that may cause a potentially very costly violation. OCR is examining employers to see if they have implemented policies and procedures to protect private health information and respond promptly to incidents that may arise. Employers’ compliance programs are expected to include employee training and performing internal audits on a regular basis. OCR examinations occur through investigations of complaints filed with its office, as well as through OCR conducting its own compliance reviews. Employers should review their HIPAA compliance programs, as a HIPAA violation may result in expensive consequences, like the massive penalties recently imposed.