On February 22, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed its first civil money penalty for an entity’s violation of HIPAA’s Privacy Rule. In its Notice of Final Determination, OCR concluded that Cignet Health withheld patient records despite requests for their disclosure. Of the $4.3 million penalty, $1.3 million was levied for denying patients access to their own medical records, while an additional $3 million was imposed due to Cignet’s failure to cooperate with OCR’s investigation as required by the Privacy Rule. Increased penalty amounts were authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act).
According to a Notice of Proposed Determination issued by OCR on October 20, 2010, Cignet violated 41 patients’ rights by refusing requests for their medical records between September 2008 and October 2009. During OCR’s subsequent investigation, Cignet both ignored demands to produce the records and failed to comply with a government subpoena. Though Cignet ultimately delivered the medical records to OCR on April 7, 2010, it did not address patient complaints informally. In the Department’s press release, HHS Secretary Kathleen Sebelius emphasized that “[e]nsuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.”