$4.3M Civil Monetary Penalty for HIPAA Privacy Violation

On February 22, HHS issued a Notice of Final Determination imposing a civil monetary penalty of $4.3 million against Cignet Health of Prince George’s County, Md., representing the first civil monetary penalty issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule.  The HHS found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested. These patients individually filed complaints, initiating investigations of each complaint.

The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The civil monetary penalty for these violations was $1.3 million.  During the investigations, Cignet refused to respond to HHS’s demands to produce the records. Additionally, Cignet failed to cooperate with HHS’s investigations of the complaints and produce the records in response to HHS’s subpoena.  HHS also found that Cignet failed to cooperate with HHS’s investigations on a continuing daily basis, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.  The civil monetary penalty for these violations was $3 million.

With federal and state governments turning over every rock to recoup a dollar, the health care industry will continue to bare witness to an increase in government regulation and audits in the HIPAA arena.

To view the HHS Press Release: http://www.hhs.gov/news/press/2011pres/02/20110222a.html

This post was contributed by Charles Dunham.