On February 4, 2011, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services issued a Notice of Final Determination imposing penalties amounting to $4.3 million on Cignet Health of Prince Georges County, Maryland (“Cignet”) for its failure to comply with the privacy rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

OCR found that Cignet violated the rights of 41 patients by denying them access to their medical records when requested. Several of these individuals informed Cignet that they were requesting copies of their medical records so they could obtain health care services from physicians other than those who were employed by Cignet. These individuals subsequently filed complaints with OCR, which prompted OCR to start an investigation of Cignet. OCR’s requests to Cignet for these medical records went unanswered until OCR’s subpoena was enforced by federal court. After the subpoena was enforced, Cignet delivered the medical records of the 41 patients, as well as the records for 4,500 other patients, but according to OCR, Cignet failed to respond to or otherwise cooperate with OCR thereafter.

The HIPAA privacy rules require that a covered entity provide a patient with a copy of their medical records within 30 days of the patient’s request. OCR found that, under the privacy rules, each violation against the 41 individuals constituted 41 separate violations, and each day the violation continued constituted separate violations. Accordingly, OCR imposed $1.3 million for these violations.

The HIPAA privacy rules also require covered entities to cooperate with investigations. OCR found that, under the privacy rules, the failure to cooperate with each complaint constituted a separate violation and each day the violation continued constituted a separate violation. OCR found that the failure to cooperate was due to Cignet’s willful neglect to comply with the privacy rules. OCR imposed an additional $3 million for this violation.

This penalty imposed on Cignet is the first instance OCR has imposed civil money penalties on a covered entity under the privacy rules. OCR has reached settlement agreements with other covered entities that did cooperate with its investigation. in which those entities had to pay amounts to OCR. Those amounts, however, were not considered civil money penalties.

Covered entities should ensure that they are ready to comply with the privacy rules and should cooperate with any OCR investigations.