The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced its first-ever civil monetary penalty against a health system for alleged violations of the HIPAA privacy rule. The penalty of over $4.3 million, which was levied against Cignet Health, was followed by OCR’s announcement of a $1 million settlement resolving a HIPAA privacy complaint against certain entities affiliated with Mass General.
My colleague Rebekah Monson recently published an article describing the actions that resulted in penalties, as well as the penalty calculation methods. As Rebekah notes in the article:
While the Cignet case could be considered to be an isolated and extreme example, the type of HIPAA breach in the Mass General case is not unusual. The timing of the two announcements, significant penalties, and three-year [corrective action plan] (for Mass General) may signal OCR’s plans to use the HITECH-increased penalties as an enforcement tool.