HHS issues $4.3M fine to Maryland provider over HIPAA violation

Justine Varieur Cadet | | Health Exec | Cybersecurity
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a notice of determination finding that Cignet Health of Prince George’s County, Md., violated the Privacy Rule of HIPAA. HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first financial penalty issued by HHS for a covered entity’s violations of HIPAA.

In a notice of proposed determination issued Oct. 20, 2010, the OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with the OCR, initiating investigations of each complaint.

The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigation, Cignet refused to respond to the OCR’s demands to produce the records, according to HHS. Additionally, the agency said that Cignet failed to cooperate with OCR’s investigation of the complaints and produce the records in response to the OCR’s subpoena. OCR filed a petition to enforce its subpoena in U.S. District Court and obtained a default judgment against Cignet on March 30, 2010.

On April 7, 2010, Cignet produced the medical records to the OCR, but “otherwise made no efforts to resolve the complaints through informal means,” HHS said.

OCR also found that Cignet failed to cooperate with OCR’s investigation on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the HHS investigations. The CMP for these violations is $3 million.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said the OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

“The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule,” said HHS Secretary Kathleen Sebelius.

Justine Varieur Cadet

Related Content

Academic health system agrees to $8M settlement following data breach
Number of Americans impacted by Change Healthcare breach nears 200M
Report: 84% of healthcare organizations identified a data breach last year
Dental chain involved in ransomware coverup fined $350K
FBI seeking extradition of Israeli prisoner accused of $500M in ransomware attacks
Data breach at chain of clinics impacts 450K patients

Around the web

Radiology Business
ACR shares guidance to help members deal with confusing White House executive orders

A string of executive orders from the White House created serious concerns among radiologists and other healthcare providers throughout the United States. The American College of Radiology issued a statement to help guide its members through the chaos. 

Cardiovascular Business
Philips to sell its emergency care business to private equity firm

Bridgefield Capital, founded in 2015, has previously invested in such popular brands as Cirque Du Soleil, Del Monte and Quiksilver. This transaction is expected to be completed in the second half of 2025. 

AI in Healthcare
Nat’l Academy of Medicine sets ‘priorities for action’ as healthcare mulls next moves with AI

Given the precarious excitement of the moment—or is it exciting precarity?—policymakers and healthcare leaders must set directives guiding not only what to do with AI but also when to do it.