Feds impose first civil fine ever in HIPAA case

The Department of Health and Human Services' Office for Civil Rights hit Cignet Health with a $4.3 million civil penalty for violating the HIPAA Privacy Rule and failing to cooperate during the subsequent probe even after a federal subpoena was issued, according to an HHS announcement.

This marks the first time the feds have imposed a civil money penalty for violations of HIPAA since it went into effect in 2003, the Washington Post reports. In earlier cases, offenders such as Rite Aid Corp. agreed to correct their practices or pay fines to settle the case. The fine is based on the violation categories and increased penalty amounts authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

An OCR investigation found that Cignet, which operates two clinics in Maryland, violated the rights of 41 patients who requested their medical records between Sept. 2008 and Oct. 2009 by not producing their records. The patients each filed separate complaints with OCR, which initiated investigations. Under the HIPAA privacy rule, records must be made available within 60 days of a request.

Cignet's experience is a cautionary tale. Besides violating the HIPAA privacy rule, it failed to respond to OCR's demands to produce the records. When OCR ratcheted up the pressure and issued a subpoena, Cignet still did not product records. Only after OCR filed a petition to get a federal court to order Cignet to produce the records did the company stir. Eight days later, the boxes arrived at the DOJ. But Cignet did not make any effort to resolve the complaints through informal means, according to HHS.

OCR imposed $3 million of the $4.3 million fine for the company's failure to cooperate with OCR's investigations for nearly 13 months. In the case of Cignet Health, "this was really willful neglect," Rachel Seeger, a spokeswoman for the OCR, told the Post. "They would not respond to the department."

What's more, when the health center finally delivered 59 boxes of records to the Justice Department, the boxes contained not only medical records for the 41 patients, but also records for about 4,500 other patients, whose information Cignet should not have been disclosing, because the records were not part of the probe.

To learn more:
- read the press release for the Department of Health and Human Services
- see the HHS notices
- here's the Washington Post story

Related Articles:
California fines 7 facilities for privacy breaches
HHS raises maximum HIPAA privacy fines to $1.5 million
Over-applying and misapplying HIPAA is common
Google defends its stance on medical data privacy
Report: More records compromised than previously thought at UCLA Medical Center