HHS issues $4.3M fine to Maryland provider over HIPAA violation

Justine Varieur Cadet | | Health Exec | Cybersecurity
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a notice of determination finding that Cignet Health of Prince George’s County, Md., violated the Privacy Rule of HIPAA. HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first financial penalty issued by HHS for a covered entity’s violations of HIPAA.

In a notice of proposed determination issued Oct. 20, 2010, the OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with the OCR, initiating investigations of each complaint.

The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigation, Cignet refused to respond to the OCR’s demands to produce the records, according to HHS. Additionally, the agency said that Cignet failed to cooperate with OCR’s investigation of the complaints and produce the records in response to the OCR’s subpoena. OCR filed a petition to enforce its subpoena in U.S. District Court and obtained a default judgment against Cignet on March 30, 2010.

On April 7, 2010, Cignet produced the medical records to the OCR, but “otherwise made no efforts to resolve the complaints through informal means,” HHS said.

OCR also found that Cignet failed to cooperate with OCR’s investigation on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the HHS investigations. The CMP for these violations is $3 million.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said the OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

“The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule,” said HHS Secretary Kathleen Sebelius.

Justine Varieur Cadet

Related Content

FBI seeking extradition of Israeli prisoner accused of $500M in ransomware attacks
Data breach at chain of clinics impacts 450K patients
Nebraska becomes first state to sue Change Healthcare over data breach
Christmas ransomware exposed over 300K patient records to dark web
Cryo-frozen tissue manufacturer suffers cyberattack
First surgical device of its kind granted key FDA exemption

Around the web

Cardiovascular Business
FDA says years-long tirzepatide shortage is resolved, will give limited leeway to compounders

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

AI in Healthcare
From Capitol Hill to a hospital near you? 5 federal recommendations for healthcare AI policy

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Cardiovascular Business
Merck spends up to $2B to license new weight loss drug with potential heart benefits

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.