Today the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed a civil monetary penalty (CMP) in the amount of $4.3 million on Cignet Health for violations of the HIPAA Privacy Rule. This represents the first CMP imposed by HHS for HIPAA privacy violations.
When Congress enacted the HITECH law in 2009, it significantly expanded HHS’ enforcement authority and made clear that the agency was expected to use it. HHS seems to be taking that directive seriously.
The OCR investigation began in response to complaints filed by Cignet patients attempting to access their medical records in order to seek care from physicians outside the Cignet network. Part of the penalty — $1.3 million — was imposed for denying these 41 patients access to their medical records when requested between September 2008 and October 2009. Under the Privacy Rule covered entities are required to provide individuals with access to their medical records within 30 days (and no later than 60 days) of a request.
An additional $3 million in penalties was assessed against Cignet for its profound failure to cooperate during the agency’s investigation. Specifically, OCR found that Cignet did not cooperate with OCR’s investigations into the complaints and failed to respond to OCR’s demands to produce the records, including failure to respond to a subpoena. When Cignet did finally respond by providing the records relating to the individuals who had filed complaints, they also produced to OCR medical records for an additional 4,500 individuals for whom the agency had made no request or demand. According to OCR, Cignet had no legitimate basis on which to disclose these records to the agency.
OCR found that Cignet’s failure to comply with the Privacy Rule and its refusal to cooperate with the investigation amounted to willful neglect, which appears to have led to the imposition of the maximum penalties permitted by law.