The Health and Human Services’ (HHS) Office of Civil Rights (OCR) issued a $4.3 million fine to Cignet Health of Prince George’s County, MD (Cignet) for violating the Privacy Rule of HIPAA. Cignet refused to provide 41 patients with access to their medical records. Under HIPAA, patients are entitled to have access to their medical records within 30 days and no later than 60 days from the initial request.
Not only did Cignet not provide the patients with access to their medical records, they also refused to cooperate with OCR during the investigation of the complaints. Below is a section from the HHS posting regarding this fine.
During the investigations, Cignet refused to respond to OCR’s repeated demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints, including failure to produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.
What could Cignet be thinking? This is a question that many will be asking. It clearly shows that ignoring requests by HHS or OCR is not a good move.
Fines under HIPAA fall into different categories based on the severity of the violations. The most severe and most costly category is for willful neglect of HIPAA. Previously willful neglect was a vague category that was not clearly defined. Well now we have very good idea of what willful neglect looks and feels like. One thing to especially note is that if OCR starts to investigate your organization it is in your best interest to comply with the investigation.
Breakdown of the fines
The $4.3 million fine is actually a combination of two separate fines. The fines are called civil money penalty (CMP). Again from HHS:
The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The two fines are broken down as this:
Covered entities are required under law to cooperate with the Department’s investigations. OCR found that Cignet’s failure to cooperate with OCR’s investigations was due to willful neglect. The CMP for these violations is $3 million.
The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.
The clear takeaway from the Cignet fines is that HHS and OCR are sending a clear message that HIPAA is not to be ignored. I would take that as both the HIPAA Privacy and Security Rules. HHS and OCR have taken a lot of knocks for not enforcing the HIPAA and HITECH acts. This might be a wakeup call to everyone that it may no longer be that case. The final paragraph on the HHS site makes this very clear.
“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and seriously consider their compliance with all of HIPAA’s requirements,” said Director Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”