OCR's McAndrew on HIPAA Enforcement'There Will Be Consequences' for HIPAA Violations
In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity.com, following her recent presentation at the National HIPAA Summit, McAndrew said, "It is clear that we will be vigorously enforcing these requirements, and, with the increased penalties that are available to use under the HITECH Act, covered entities need to pay attention and take whatever steps they can to prevent complaints in the first place by meeting their obligations to the fullest."
OCR announced a $4.3 million civil monetary penalty against Cignet Health, which operates four clinics in Maryland, in a case involving failure to provide patients with access to their records as well as failure to cooperate with investigators. It was the first time OCR had levied a civil monetary penalty for a HIPAA privacy rule violation.
And Massachusetts General Hospital entered a resolution agreement, paying a $1 million settlement and agreeing to corrective action in a case stemming from paper records lost on a subway.
Regarding the Cignet Health case, McAndrew said the important lesson is: "It's important to cooperate with my office when we have a complaint and are attempting to seek resolution." But she added, "We still believe in voluntarily resolving these cases whenever we can because that's the best way of ensuring long-term that the covered entity really understands what their obligations are and has taken adequate steps to meet them."
Also in the interview, McAndrew:
- Acknowledged that OCR is continuing to investigate all of the major health information breaches reported under the HITECH Act breach notification rule.
- Explained that OCR hopes to test one or more models for the HITECH Act's required HIPAA auditing program later this year. She will not, however, predict when the formal audit program would begin.
- Described plans to train state attorneys general this spring on how to file federal HIPAA civil lawsuits, as enabled under the HITECH Act.
As OCR deputy director, McAndrew has responsibility for implementing and enforcing the HIPAA privacy rule. She has more than 20 years of federal government experience. Before joining HHS, she practiced law in the District of Columbia.
HOWARD ANDERSON: In recent weeks, your office announced action in two cases involving violations of HIPAA privacy rule. In one, your office issued a $4.3 million civil monetary penalty to Cignet Health, and in the other you announced a resolution agreement with Massachusetts General that included a $1 million settlement and corrective action. Do these cases signal a ramping up of your HIPAA enforcement efforts?
SUSAN MCANDREW: I think they signal what we have been saying for some time -- that the Office for Civil Rights intends to vigorously enforce the rights of individuals that they have under the HIPAA privacy rule and that covered entities need to take seriously their obligations to come into full compliance with HIPAA privacy and security rule obligations. The privacy rights of individuals are very important, and covered entities need to fully meet their obligations in providing individuals with these rights. And when they don't do so, it is my office that will be there to help individuals vindicate these rights.
HIPAA Lessons Learned
ANDERSON: So what can other organizations learn from these two cases?
MCANDREW: One, that there will be enforcement consequences for failure to comply with privacy and security obligations, and also, particularly in the case of the civil monetary penalty that we imposed, that it is important to cooperate with my office when we have a complaint and we are attempting to seek resolution.
We still believe in voluntarily resolving these cases whenever we can because that is the best way of ensuring long term that the covered entity really now understands what they're obligations are and have taken the adequate steps to meet them. When we don't get that kind of response from the covered entity and there has been a violation, we will go to civil monetary penalties.
Future HIPAA Enforcement
ANDERSON: Do you expect to announce other similar HIPAA enforcement actions in the weeks ahead?
MCANDREW: We are working on thousands of cases, and new issues come to our attention every day. I think it is clear that we will be vigorously enforcing these requirements and that, particularly with the increased penalties that are available to us under the HITECH Act, covered entities need to pay attention and take whatever steps they can to prevent complaints in the first place by meeting their obligations to the fullest.
ANDERSON: What about enforcement actions in any of the major breach cases you've posted on the OCR website?
MCANDREW: We are pursuing investigation of all those incidents, and, to the extent that there is a need to enter into a long-term resolution agreement and corrective action plan with a covered entity in order to properly remedy what happened in any one of those breaches, we will do so. But, as I said, we are also still looking to covered entities for voluntary compliance. And where we can adequately address what happened through that voluntary compliance, there will be no need for these kinds of sanctions.
HIPAA Compliance Audits
ANDERSON: The HITECH Act called for creation of a HIPAA compliance audit program. Can you tell us about the status of that effort?
MCANDREW: That's an ongoing effort to bring up an audit program that will be effective, and yet we can keep it within resource limitations. It's a new undertaking for us. We haven't historically in the Office for Civil Rights come at our enforcement activities through an audit methodology. We have always used complaints and investigations. But we have engaged various contractors to ... make recommendations as to an effective audit program that would merge seamlessly with our ongoing investigation efforts. And we are hoping to be able to pilot test one or more approaches to that audit requirement in the HITECH Act some time later this year.
ANDERSON: So there will be pilot tests perhaps later this year, and then rollout of the program this year or next?
MCANDREW: Well it depends. I mean, the purpose of having a pilot test is to see whether or not it works. If it doesn't work, then we're back to the drawing board. It's a major undertaking. It is a whole different approach to enforcement, and it doesn't take inconsiderable resources to perform audits in a way (that ensures) that people would respect an audit program. We have been quite successful to date with our enforcement activities, and we don't want to negatively impact the efforts we currently have under way by diverting resources into an audit program.
Attorneys General HIPAA Training
ANDERSON: Finally, the HITECH Act also enabled state attorneys general to file civil suits for HIPAA violations. So is the training of attorney general's offices going to be starting soon?
MCANDREW: Yes, we have sent out invitations to all the state attorney general's offices in all 50 states, the District of Columbia and the territories inviting them to one of four training sessions. The first one kicks off in Dallas and then additional training will be available in Atlanta, Washington, D.C., and in San Francisco running through the months of May and June, and following that in-person training of state attorneys general staff. We will be adapting the training that we provided into a computer-based training so it will be available on an ongoing basis as a refresher for anyone that wasn't able to come to the actual in-person training. ANDERSON: And is it reasonable to expect that we will see more civil cases filed once that training is complete?
MCANDREW: It is always the hope that once they fully appreciate what the HIPAA privacy and security rules are all about that they will be anxious to add them to the general privacy protections that already exist within their state. And we are anxious to cooperate with them in pursuing these cases. I think they will bring an interesting perspective in attempting to vindicate rights that are of particular interest for their own residents. I mean, we approach this from a national program, and this gives each state a particular voice to add to how privacy is important to their residents. So we're anxious to cooperate with them, and we believe this training will set a foundation for the kind of cooperation and collaboration between our offices going forward with these kinds of enforcement efforts.