As HIPAA Enforcement Efforts Increase, How Should Investors in Healthcare & Medical Device Companies View Risks Associated with HIPAA Compliance?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes two main components that are administered by the Office of Civil Rights (OCR): the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information (Protected Health Information, or PHI) and the HIPAA Security Rule, which sets national standards for the security of PHI. This post discusses some significant recent enforcement efforts and what the increased activity means for healthcare providers and investors.
The Changing Landscape in HIPAA Enforcement Efforts
The healthcare industry received a clear message from HHS in late February with the OCR's announcement of two major enforcement actions. First, the OCR announced on February 22nd that it had imposed a civil money penalty (CMP) of $4.3 million against Cignet Health of Prince George’s County, MD. Then two days later, OCR announced that General Hospital Corporation and Massachusetts General Physicians Organization, Inc. (Mass General) had agreed to pay $1 million to settle potential violations of the HIPAA Privacy Rule.
This is the first time that the OCR has publicized its enforcement actions involving heavy monetary payments. Until these CMPs, the publicized enforcement activity for monetary recoveries from covered entities under HIPAA/HITECH has been by attorneys general in Connecticut (in a $250,000 settlement with Health Net, Inc.), Indiana (in a $300,000 suit against Wellpoint) and Vermont (in a settlement with Health Net, Inc., and Health Net of the Northeast, Inc.).
McGuireWoods attorneys Kim Kannensohn, Holly Carnell and Amita Sanghvi have published details of these recent OCR enforcement actions. Essentially, OCR determined that Cignet had violated the rights of 41 patients by denying them access to their medical records in violation of the general requirement that a covered entity provide a patient with a copy of the patient’s medical records within 30 days of the patient’s request. In addition, OCR also penalized Cignet for its failure to cooperate with OCR’s investigation on a continuing daily basis from March 17, 2009 to April 7, 2010. The CMP of $4.3 million is comprised of a CMP of $1.3 million for Cignet’s violations of patient privacy rights and a CMP of $3 million for Cignet’s failure to cooperate.
The Mass General settlement stems from an extensive investigation by OCR relating to a 2009 incident in which a hospital employee misplaced documents containing protected health information, including information of patients with HIV/AIDS. While commuting to work on the subway, the employee had allegedly removed documents containing PHI from her bag and placed them on the seat beside her and upon exiting the train left the documents on the subway. The documents containing the name, date of birth, medical record number, health insurer and policy number, diagnosis, and name of provider for 66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients. The documents were not in an envelope, were bound with a rubber band and were never recovered.
What does this Mean for Healthcare & Medical Device Investors?
The message from OCR through these enforcement actions is clear. HIPAA must be taken seriously and failure to adhere to the requirements can mean heavy penalties and bad press. This is true not only for "covered entities" but for the multitude of vendors and service providers deemed "business associates" under HIPAA, which entities also have obligations and potential liability under HIPAA/HITECH. It is now more critical than ever for covered entities and business associates, as well as healthcare investors examining a potential investment opportunity, to review the companies' HIPAA compliance efforts. Diligence on HIPAA compliance for the vast majority of companies involved in the US healthcare system is a vital element when considering investment. Reviewing the organization’s plan documents, training programs, security systems and preparedness for a HIPAA audit are among the most important elements to evaluate, and investors would be well served to include such review in their diligence process.