Governance & Risk Management , Privacy

HIPAA Privacy Fine: $4.3 Million

Clinics Failed to Provide Patients With Records Access
HIPAA Privacy Fine: $4.3 Million
For the first time, federal officials have issued a civil monetary penalty to a healthcare organization for violations of the HIPAA privacy rule. Cignet Health of Prince George's County, Md., was fined $4.3 million for the violations that involved failing to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators.

Cignet, a Christian-influenced medical service, operates four clinics in southern Maryland. The HITECH Act created higher fines for HIPAA violations, which were issued in this case.

"The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule," said HHS Secretary Kathleen Sebelius.

Two HIPAA Fines

The individuals affected filed records access complaints with the HHS' Office for Civil Rights between September 2008 and October 2009. The HIPAA privacy rule requires that a covered entity, such as a clinic or hospital, provide a patient with a copy of their records no later than 60 days after a request. HHS imposed a "civil monetary penalty" of $1.3 million for Cignet's violation of this requirement.

HHS explained in a statement that Cignet refused to respond to OCR's demands to produce the records and failed to cooperate with OCR's investigations of the complaints and produce the records in response to a subpoena. OCR filed a petition to enforce its subpoena in a U.S. District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means, HHS said.

Cignet failed to cooperate with OCR's investigations from March 2009 to April 2010, constituting willful neglect to comply with the HIPAA privacy rule, according to HHS. HIPAA covered entities are required under law to cooperate with the department's investigations. The fine for these violations was $3 million.

"Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records and adhere closely to all of HIPAA's requirements," said OCR Director Georgina Verdugo. OCR "will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules," she added.

Unlike the Cignet case, which involves a civil monetary penalty, several earlier HIPAA violation cases led to resolution agreements that included plans to take corrective action. For example, Rite Aid agreed to a $1 million settlement and a plan to take corrective steps after it was determined the chain was improperly disposing of prescription information.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.