HHS Issues Civil Money Penalty for Privacy Rule Violations

The Office for Civil Rights (OCR), HIPAA privacy and security enforcer, has issued its first civil money penalty to a covered entity for violations of the HIPAA Privacy Rule, according to a press release posted today on the Department of Health & Human services (HHS) website.

The OCR fined Cignet Health, of Prince George’s County, MD, $4.3 million for the violations, which also marks the first time federal regulators have used the new monetary penalty structure under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Cignet violated the rights of 41 patients when it denied them access to their medical records, which they requested between September 2008 and October 2009, according to HHS.

Further, Cignet did not respond to OCR’s demands to produce the records and did not cooperate with investigations.

When reached by phone Tuesday afternoon, a customer service representative from Cignet Health said Dr. Dan Austin, CEO, would handle requests from media. He was unavailable at the time, the representative said.

The violations are considered “willful neglect”, and fall under the most egregious penalty scale under HITECH, according to Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA.

The penalty amount demonstrates the significance of “willful neglect” violations by entities who are “not actively trying to get into compliance and stay in compliance,” Herold says. Further, it shows the importance of having policies and procedures in place to follow during an OCR investigation.