4.3 Million Penalty Assessed Under HITECH for HIPAA violations
One might say that it looks like HHS and OCR are making up for all those years people have said there has been a lack of enforcement of HIPAA — 4.3 million dollars worth of “making up for lost time” in just one shot….
HHS and OCR held nothing back as the first civil money penalty was assessed under the new categories and increased penalty amounts created by HITECH. The 4.3 million penalty was imposed against Cignet Health in Prince George County, Maryland, for violating HIPAA patient access rights. Cignet had denied access to the medical records of 41 patients upon their request between September 2008 and October 2009 and each patient had filed complaints individually with OCR. HIPAA requires Covered Entities to provide patients with copies of their medical records on request within 30 days and in no case later than 60 days from the date of the request. HITECH created new categories of violations, ranging from “did not know” to “willful neglect” to comply with HIPAA, and established a corresponding tiered monetary penalty system.
Had this been the end of the story, Cignet would have walked away with only a 1.3 million penalty for violating HIPAA. However, not only did Cignet fail to comply with HIPAA patient access rights, but it refused to produce the records when OCR demanded it do so. Even after OCR presented Cignet with a subpoena, it continued to not produce the records. Only after OCR filed a petition to enforce the subpoena and subsequently obtained a default judgment in United States District Court against Cignet did Cignet finally turn over the records. Cignet also made no efforts throughout the entire investigation to cooperate or resolve the complaints informally. OCR found Cignet’s failure to cooperate a willful neglect of the HIPAA Privacy Rule, which requires all Covered Entities to cooperate with investigations by OCR, and an extra 3 million was imposed against Cignet.
The penalties imposed against Cignet dispel any doubt that may have remained concerning HHS’ ramped up enforcement of HIPAA. OCR Director Georgina Verdugo stated, “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.” With a hefty 4.3 million penalty as HHS’ “first shot”, Covered Entities will certainly take notice and action to avoid coming under fire themselves.
