HHS issues $4.3M fine to Maryland provider over HIPAA violation

Justine Varieur Cadet | | Health Exec | Cybersecurity
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a notice of determination finding that Cignet Health of Prince George’s County, Md., violated the Privacy Rule of HIPAA. HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first financial penalty issued by HHS for a covered entity’s violations of HIPAA.

In a notice of proposed determination issued Oct. 20, 2010, the OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with the OCR, initiating investigations of each complaint.

The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigation, Cignet refused to respond to the OCR’s demands to produce the records, according to HHS. Additionally, the agency said that Cignet failed to cooperate with OCR’s investigation of the complaints and produce the records in response to the OCR’s subpoena. OCR filed a petition to enforce its subpoena in U.S. District Court and obtained a default judgment against Cignet on March 30, 2010.

On April 7, 2010, Cignet produced the medical records to the OCR, but “otherwise made no efforts to resolve the complaints through informal means,” HHS said.

OCR also found that Cignet failed to cooperate with OCR’s investigation on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the HHS investigations. The CMP for these violations is $3 million.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said the OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

“The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule,” said HHS Secretary Kathleen Sebelius.

Justine Varieur Cadet

Related Content

Healthcare hacker sentenced to 10 years in prison
Ransomware group deploys ticking clock to threaten Georgia hospital
Hackers were inside an Iowa hospital’s network for two weeks
Microsoft: Ransomware hit nearly 400 healthcare entities this year—a 300% rise since 2015
Feds make it official: Change data breach was the largest in healthcare history, impacting 100M
CMS contractor takes $1.2M loss after data breach, DOJ lawsuit

Around the web

Cardiovascular Business
Payment cuts and beyond: Key takeaways for cardiologists from the 2025 Medicare Physician Fee Schedule

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

AI in Healthcare
A modest proposal to rally AI regulators around a simple game plan

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

Cardiovascular Business
FDA commissioner urges clinicians to join fight against medical misinformation

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Design by Adaptive Theme
Trimed Popup
Trimed Popup