Warning: HIPAA enforcement is ramping up. The feds don't seem afraid to use their HIPAA fining power, and it was one employee's innocent mistake that cost $1 million. The Department of Health and Human Services' Office of Civil Rights (OCR) has fined the General Hospital Corporation and Massachusetts General Physicians Organization Inc. in Boston $1 million over an incident where a Mass General employee left files on a subway train that were never recovered. "We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement," OCR Director Georgina Verdugo says in a release about the settlement. "It is a covered entity's responsibility to protect its patients' health information." And OCR has fined Cignet Health of Prince George's County, Md., more than $4.3 million for breaching the HIPAA Privacy Rule. "The fine is the first civil monetary penalty (CMP) ever imposed for a covered entity's violations of the HIPAA Privacy Rule," notes law firm Sidley Austin on its website. Cignet's fine came from failing to give patients' access to their protected health information (PHI) in their medical records, rather than accidentally revealing PHI. The high total was in part racked up due to the new willful neglect fines. "These cases, and HHS' apparent willingness to put them in the spotlight, demonstrate the agency's newfound commitment to investigating, uncovering and imposing penalties for HIPAA violations," notes law firm Duane Morris in an alert on the topic. Who might report a willful neglect violation? Most frequently, an employee who's been mistreated or terminated files such a complaint against the employer, says consultant Abner Weintraub, based on his experience as an expert witness in HIPAA cases. The second-most common scenario involves a patient filing a complaint, adds Weintraub, president of The HIPAA Group Inc. in Orlando, Fla. And HHS now can more easily track possible violations, thanks to HITECH Act provisions that require providers to notify the agency of HIPAA data breaches, Duane Morris points out.