When the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS), charged with enforcing the privacy and security rules of HIPAA, recently levied a $4.3-million fine on Cignet Health of Maryland, it marked the first time a HIPAA fine had been issued.
This was swiftly followed by a $1-million settlement with Massachusetts General Hospital for an employee's negligence in leaving personal health records on a subway.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established both privacy and security obligations for those companies and individuals who handle, use or store personal health information (PHI). These rules were strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
Now everything is coming full circle with enforcement catching up with regulations. There have been numerous settlements in the past, but Cignet represented the first actual fine.
Under HITECH, fines are now set at $100 per violation up to a maximum of $50,000 a day. In Cignet's case, the company was also fined for failing to cooperate with the OCR investigation, thus reaching a total of $4.3 million in penalties.
HHS is poised to issue new and no doubt strengthened HIPAA privacy and security regulations sometime soon.
In any event, you can protect your company by keeping your employees informed of their rights and obligations under HIPAA and HITECH by posting our All-On-One HIPAA Information Poster. Order yours today.