The Department of Health and Human Services (HHS) said Tuesday that it has imposed a $4.3 million civil money penalty (CMP) on Maryland-based Cignet Health, saying the company had violated the 1996 HIPAA Privacy Rule.
The move represents the first time the HHS has issued such a penalty for a covered entity’s violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
“Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule,” said HHS Secretary Kathleen Sebelius.
The penalty is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Department said.
In a Notice of Proposed Determination issued last October, the Department’s Office for Civil Rights (OCR) found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009.
These patients individually filed complaints with the OCR, triggering investigations of each complaint.
The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 days (and no later than 60 days) of the patient’s request. The CMP for these violations is $1.3 million.
However, during the investigations, Cignet refused to respond to OCR’s demands to produce the records, or to produce the records in response to an OCR subpoena, the Department said.
OCR filed a petition to enforce its subpoena in U.S. District Court, obtaining a default judgment against Cignet last March. One month later, Cignet produced the medical records to OCR, but “otherwise made no efforts to resolve the complaints through informal means,” the Department said.
OCR also found that Cignet failed to cooperate with its investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.
Covered entities are required by law to cooperate with the Department’s investigations or face CMP’s of $3 million, HHS said.
“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo.
“The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”
A copy of the OCR’s Notice of Proposed Determination and Notice of Final Determination can be found at http://www.hhs.gov/ocr/privacy/hipaa/news/cignetnews.html.