On February 22, 2011, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed a $4.3-million civil monetary penalty against Cignet Health (Cignet), a covered entity, for violating the HIPAA Privacy Rule. This was the first civil monetary penalty ever issued by OCR for a covered entity’s violation of the HIPAA Privacy Rule. Although there have been a number of settlements arising from alleged HIPAA violations, never before has OCR imposed a civil monetary penalty against a covered entity for violating the HIPAA Privacy Rule. The penalty against Cignet was based on the new violation categories and the increased penalty amounts authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR’s action may foreshadow increased scrutiny and an invigorated willingness to assess significant penalties against covered entities for HIPAA violations.
The $4.3-million civil monetary penalty was triggered by Cignet’s failure to provide access to the medical records of 41 patients, as well as its failure to adequately cooperate with OCR’s investigation. Covered entities should examine their current HIPAA policies and practices — including their compliance program provisions for responding to requests for access to medical records — to verify that the entity’s operations are current with the recent legal changes.
Patients’ Rights Violations and Failure to Cooperate Lead to Civil Monetary Penalty
OCR imposed the civil monetary penalty against Cignet after finding that Cignet violated the rights of 41 patients by not providing the patients access to their medical records, between September 2008 and October 2009, despite the patients’ requests for copies of their medical records. The patients individually filed complaints with OCR, initiating investigations of each complaint. Although there are certain exceptions, 45 C.F.R. section 164.524 generally requires that a covered entity provide a patient with a copy of his/her medical records within 30 days, and no later than 60 days, of the patient's request. OCR assessed a $1.3-million civil monetary penalty against Cignet for its violations of the HIPAA Privacy Rule.
OCR also assessed a $3-million civil monetary penalty on the grounds that Cignet failed to cooperate in OCR’s investigation. Covered entities are legally required under 45 C.F.R. section 160.310(b) to cooperate with the government in such investigations. According to OCR’s findings, Cignet failed to cooperate with OCR's investigations of the complaints, nor did Cignet produce the records in response to OCR's requests. Cignet eventually produced the medical records to OCR, but according to OCR, Cignet made no efforts to resolve informally the complaints with the patients or the government.
For violations of the HIPAA Privacy Rule, OCR is authorized to impose civil monetary penalties of up to $50,000 per violation, with a maximum amount of $1.5 million per year.
Practical Advice for Covered Entities
In light of OCR’s landmark HIPAA penalty, here is some practical advice covered entities should consider.
Conclusion and Implications
OCR’s penalty against Cignet may foreshadow more vigorous enforcement of the HIPAA privacy and security rules. Covered entities should examine their current HIPAA policies and practices — including their compliance program provisions for responding to requests for access to medical records — to verify that the entity’s operations are current with the recent legal changes. For businesses subject to these rules, collaboration with skilled health care counsel is an important step in protecting against enforcement exposure and helping ensure compliance with HIPAA.
Access a copy of HHS’ February 4, 2011 Notice of Final Determination here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltyletter.pdf.
Access a copy of HHS’ October 20, 2010 Notice of Proposed Determination here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltynotice.pdf.
Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our health care clients and colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or any of the following individuals:
Nathaniel M. Lacktman
M. Leeann Habte
Los Angeles, California
Maureen F. Kwiecinski
Peter F. McLaughlin
Jacqueline M. Saue
R. Michael Scarano Jr.
San Diego, California
Andrew B. Serwin
San Diego, California
Lawrence W. Vernaglia