In February 2011, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), which is charged with enforcement of HIPAA privacy and security regulations, announced its first imposition of a civil monetary penalty for a violation of the HIPAA privacy regulations against a covered entity. OCR found that Cignet Health of Mitchellville, Maryland, refused to provide 41 patients with copies of their medical records and, in addition, refused to cooperate with OCR’s efforts to investigate the complaint. The patients individually filed complaints with OCR, which initiated investigations. During the investigations, Cignet refused to provide records to OCR at its request and in response to a subpoena and otherwise failed to cooperate with the investigation. After OCR obtained a default judgment in federal court, Cignet produced the records but otherwise made no effort to resolve the complaints through informal process. The penalty for failure to produce the records to patients was $1.3 million and the penalty for failure to cooperate in the investigation was $3 million, for a total penalty of $4.3 million.

TIP: OCR is serious about enforcing patients’ rights under HIPAA. Unless a records request falls within a narrow group of exceptions, covered entities must provide individuals with access to their medical records. If there is a valid dispute over a patient’s complaint, OCR makes efforts to resolve disputes by informal means. A covered entity ignores the process at its peril.