Last week, four different settlement agreements were announced with four different Massachusetts hospitals to settle claims that they had violated HIPAA and state consumer protection and data security laws, by either not obtaining proper patient authorizations before allowing a television documentary to be filmed in the hospital or failing to investigate reports of inappropriate access to medical records by employees. Three hospitals entered settlement agreements and agreed to corrective action plans with the Department of Health and Human Services Office for Civil Rights (“OCR”), while the fourth hospital and an associated medical group entered into a settlement agreement with the Massachusetts Attorney General. OCR initiated its review of the three hospitals it settled with after reading news stories about the hospitals allowing a TV documentary to film inside those hospitals. In one instance, the news story OCR cited as launching its investigation was actually posted on one of the hospital’s websites by the hospital itself. OCR’s investigation revealed that while the hospitals had taken some precautions by, for example, conducting a HIPAA training with the filming crew, the hospitals nevertheless failed to obtain proper authorizations from patients. Collectively, the three hospitals settled with OCR for $999,000.
The settlement with the Massachusetts AG stemmed from two employees of the hospital and medical group inappropriately accessing information on more than 15,000 Massachusetts residents while employed with the settling organizations, ultimately opening cell phone and credit card accounts with the information they improperly obtained. Although the AG alleges that the hospital and medical group were informed of these employees’ misconduct by an inside informant, its complaint further alleged that the hospital and group failed to properly investigate those complaints, verify its information was safeguarded, or discipline the employees in question. The providers did eventually perform a sufficient investigation, but not until after a deceased patient’s widow complained that her husband’s information had been fraudulently used. The AG’s office alleged violations of the Massachusetts consumer Protection Act, Data Security Law, and HIPAA in its complaint filed simultaneously with the consent decree, which included a payment of $230,000.
Despite what any of us might be feeling or inclined to think to the contrary, HIPAA enforcement is alive and well, both at the federal and state levels. Although there is some indication that OCR has been selective in its enforcement, and is focusing on pursuing large dollar value settlements, the Massachusetts AG settlement demonstrates that state attorneys general can and do enforce HIPAA violations of all sizes, either standing alone or as part of an enforcement action for a state data privacy or data breach law, the latter of which all 50 states now have. These settlements also show on the one hand how regulators will bring enforcement actions and levy fines even in the absence of a patient complaint or when a provider believes it is doing everything right, and how regulated entities need to take reports of unauthorized access or use of PHI seriously, including investigating and reprimanding employees involved, subject to whistleblower protections.