“This should also serve as an example and provide good motivation for all covered entities and business associates to get into compliance, and maintain compliance, with HIPAA and HITECH,” Herold says. “[Privacy and security officers] need to show this news report to their CEOs and CFOs to prove that penalties not only can occur, but that they have now started, and with quite a big, financially painful bang.”
The patients who requested the medical records individually filed complaints with OCR, initiating the government’s investigations. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of his or her medical records within 30 days of the patient’s request, with one possible 30-day extension. Those violations cost Cignet Health $1.3 million. Failing to cooperate with the government investigation accounted for the other $3 million in fines. The penalties are based on amounts authorized by Section 13410(d) of HITECH.
Herold says she expects more patients and patients’ rights groups to submit complaints to OCR in hopes of the same result.
“Due to their apparent lack of compliance, as well as demonstrable arrogance with regard to dealing with the OCR investigators, Cignet now has the dubious honor of being the poster child for HIPAA/HITECH willful neglect,” Herold adds.
This isn’t the first HIPAA violation involving large fines. CVS Caremark Corp. reached a settlement of $2.25 million for potential HIPAA violations in February 2009, and Rite Aid Corporation in the same investigation settled for $1 million a year and a half later. In addition, Health Net, Inc. agreed to pay $250,000 to the state of Connecticut for HIPAA violations in 2010.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP, notes that OCR hasn’t handed out any “true fines,” rather just settlements, until now.
"It's hard to know exactly what was going on at Cignet, but failing to cooperate with an OCR investigation, much less failing to directly address customer complaints that raise HIPAA issues, is just plain stupid," Drummond says. "For some time now, many of us who follow HIPAA have been waiting for OCR to find a particularly egregious case and deliver a significant fine, so that some in the healthcare industry who have gotten lackadaisical about HIPAA compliance will sit up and take notice. This may just be the case."