On Feb. 22, the United States Department of Health and Human Services’ Office for Civil Rights announced an unprecedented use of civil monetary penalties on a Maryland-covered entity for violation of the Health Insurance Portability and Accountability Act Privacy Rule in the amount of $4.3 million. Just two days later, on Feb. 24, HHS announced a $1 million HIPAA Privacy Rule settlement with a Massachusetts provider that breached patient information.
In a press release, HHS Secretary Kathleen Sebelius said that, “Ensuring that Americans’ health-information privacy is protected is vital to our health care system and a priority of this administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.”
In its first-ever use of civil monetary penalties for a HIPAA Privacy Rule violation, HHS’ Office for Civil Rights investigated individual complaints that it received from patients of Cignet Health of Prince George’s County, Md., between September 2008 and October 2009 regarding Cignet’s alleged denial of access to medical records. The HIPAA Privacy Rule requires that a covered entity provide patients with a copy of their medical records within 30 (and no later than 60) days of the patient’s request.
HHS’ Office for Civil Rights found 41 violations and assessed $1.3 million in penalties for the violations. However, because Cignet refused to respond to Office for Civil Rights’ demand to produce records and was altogether uncooperative with the investigation, HHS declared that Cignet demonstrated “reckless indifference” by ignoring numerous requests for records and “willfully neglected” its obligation to cooperate with the office.
HHS ultimately had to obtain a subpoena for the records and was thereafter successful in obtaining a default judgment against Cignet. Cignet further failed to respond to Office for Civil Rights’ offers to submit written evidence that violations were due to reasonable cause and not willful negligence. The office assessed $3 million for the additional violations for a grand total of $4.3 million in penalties. This represents a fine of $50,000 for each day Cignet refused to respond to it from March 17, 2009 to April 7, 2010.
The $3 million fine represented the maximum penalty of $1.5 million per year allowable under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).