HIPAA privacy violations result in penalties exceeding $4.3 million

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced its first-ever civil monetary penalty against a health system for alleged violations of the HIPAA privacy rule.  The penalty of over $4.3 million, which was levied against Cignet Health, was followed by OCR’s announcement of a $1 million settlement resolving a HIPAA privacy complaint against certain entities affiliated with Mass General. 

My colleague Rebekah Monson recently published an article describing the actions that resulted in penalties, as well as the penalty calculation methods.  As Rebekah notes in the article:

While the Cignet case could be considered to be an isolated and extreme example, the type of HIPAA breach in the Mass General case is not unusual. The timing of the two announcements, significant penalties, and three-year [corrective action plan] (for Mass General) may signal OCR’s plans to use the HITECH-increased penalties as an enforcement tool.

The full text of the article is available here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.