The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced Tuesday that it has issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Maryland (Cignet) violated the HIPAA Privacy Rule.  HHS imposed a $4.3 million civil money penalty on Cignet for the violations—the first civil money penalty ever issued by HHS for violations of the Privacy Rule.

The civil money penalty imposed on Cignet is based on the new violation categories and increased penalty amounts established under the HITECH Act, which we reported on previously.  In a Notice of Proposed Determination issued on October 20, 2010, OCR found that:

  • Between September 2009 and October 2009, Cignet failed to provide 41 individuals with timely access to copies of protected health information (PHI) about them in the designated record sets maintained by Cignet, in violation of 45 C.F.R. § 164.524.
  • From March 2009 through April 2010, Cignet failed to cooperate with OCR’s investigation of 27 complaints regarding Cignet’s noncompliance described above, in violation of 45 C.F.R. § 160.310(b).

According to OCR, Cignet initially refused to produce the medical records in response to OCR’s demand; failed to cooperate with OCR’s investigation of the individuals’ complaints; and failed to produce the medical records in response to a subpoena, though it ultimately produced them after OCR filed a petition to enforce the subpoena in federal court and obtained a default judgment against the company.  OCR found that, aside from producing the records, Cignet otherwise made no effort resolve the complaints through informal means.

In the Notice of Final Determination, OCR imposed a civil money penalty of $1.3 million based on each failure to provide an individual with access, and each day that the violation continued.  OCR also found that Cignet’s failures to cooperate with the investigation were due to willful neglect, and imposed a penalty of $3 million for each failure to cooperate and each day that the violation continued.  Copies of the Notice of Proposed Determination and Notice of Final Determination are available here.

The fact that HHS has imposed the first civil money penalty, and that the penalty amount is significant, suggests that the agency may be gearing up to flex its enforcement muscles.  It is also noteworthy that the first penalty related to a failure to provide timely access to PHI, as opposed to an impermissible use or disclosure of PHI.  In ensuring that they are ready for an era of OCR enforcement (as opposed to technical assistance), covered entities should focus not just on protecting the confidentiality of PHI, but also on their procedures for providing access, amendment, and accounting rights and their procedures for responding to complaints.

Given HHS’s increased focus on HIPAA enforcement, we’ve been working to help many of our clients understand how HIPAA affects their operations.  For more information about how HIPAA enforcement and compliance issues affect you, please contact us.