When the Health Information Technology for Economic and Clinical Health Act became law shortly after President Obama took office, experts told me again and again that the new legislation gave the Health Insurance Portability and Accountability Act privacy and security requirements some teeth.
This week, the U.S. Department of Health and Human Services sent warnings to those subject to the laws that it's serious about enforcement now that it can finally do something to discourage violations. According to Computerworld, HHS imposed a $4.3 million civil penalty on Cignet Health for violating HIPAA privacy provisions and agreed to receive $1 million from Massachusetts General Hospital to settle potential HIPAA privacy violations.
Cignet's penalty stems from its failure to give 41 different patients access to their medical records when they were requested, followed by a failure to cooperate with an investigation into the matter by the HHS Office of Civil Rights.
The Mass. General settlement arises from the loss of documents containing the protected health information of 192 patients. An employee accidently left them on a subway, the story says.
The cases are the first resulting from HIPAA privacy violations since the law was enacted.