On February 3, 2016, HHS issued a press release announcing an administrative law ruling imposing civil money penalties of nearly $240,000 against a HIPAA covered entity for violations of the HIPAA privacy rule (see Practice Note, HIPAA Privacy Rule). HHS sought the penalties after it was unable to settle the matter informally. According to HHS, this marks only the second time the agency has sought civil money penalties for HIPAA violations (see HIPAA Enforcement and Group Health Plans: Penalties and Investigations). (The first-ever civil money penalties, for $4.3 million, involved a 2011 action against a provider that denied its patients access to their medical records (see Practice Note, HIPAA Privacy and Security: Individual Rights).) The covered entity invoked its right to a hearing before an administrative law judge (ALJ) to challenge HHS's proposed penalties but the ALJ's decision upheld the penalties.

The HIPAA covered entity, a home health provider with more than 850 branch locations and operations in 48 states, maintained the protected health information (PHI) of more than 275 individuals who received services from the company's employees. The company became the subject of an HHS investigation after the husband of one of the company's managers complained that his wife, from whom he was estranged, had left behind company documents in their home. The documents contained the PHI of the company's patients, including the individuals' names, addresses, telephone numbers, and emergency contacts. The manager was also responsible for patient-specific documents (for example, diagnoses and medical test results) for several of the company's patients. Per the company's policy, the manager removed these documents from the office and kept them in her car, so as to have ready access to them. When the manager moved out of the couple's home, however, she left the documents behind and later conceded to HHS that she was uncertain where her car was parked. Her husband informed the company and HHS that he:

The ALJ determined that the company's policies were inadequate because (among other reasons):

The ALJ determined that the company violated HIPAA by failing to:

The ALJ therefore granted summary judgment in HHS's favor and upheld the proposed civil penalties.

Although the covered entity in this enforcement action is not a group health plan, the procedural failures at issue could occur in that context as well. This action is notable because HHS has, to date at least, tended to resolve its enforcement actions through resolution agreements that did not require it to seek civil money penalties (for a recent example of a HIPAA settlement, see Legal Update, Malicious Malware Leads to $750,000 HIPAA Settlement). Moreover, the increased maximum penalty amounts under the Health Information Technology for Economic and Clinical Health (HITECH) Act underscore the need for compliant HIPAA procedures and adequate training (see Practice Note, HIPAA Enforcement and Group Health Plans: Penalties and Investigations and Standard Document, HIPAA Training for Group Health Plans: Presentation Materials).