A Health Care E-Alert

On February 22, 2011 the HHS Office for Civil Rights (OCR) issued a civil monetary penalty against Cignet Health of Prince George’s County, Maryland in the amount of $4.3 million dollars for violations of the HIPAA privacy rule. The amount of this penalty was based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HHS February 22, 2011 press release.

OCR found that Cignet Health failed to provide 41 patients access to their medical records when requested. OCR imposed a penalty of $1.3 million for Cignet Health’s failure to provide access to medical records. The larger part of the penalty, $3 million, was assessed because Cignet Health failed to respond to OCR demands to produce the records, failed to cooperate with OCR’s investigations and finally, failed to respond to a subpoena for records.

OCR Director Verdugo said “Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements. The U.S. Department of Health and Human Services will continue to investigate and take action against organizations that knowingly disregard their obligations under these rules.”

The lesson learned from this is that OCR is becoming more aggressive in investigating complaints, and is far less willing to accept corrective action in lieu of penalties than it has been in the past. Each covered entity and business associate must understand its own obligations under the HIPAA privacy rule, and act in good faith to honor those obligations in order to avoid enforcement actions and penalties.

HIPAA complaints must be taken seriously and responded to appropriately, whether they are directly from a member or patient, or from OCR. If OCR undertakes an investigation, it is important to cooperate. However, the most prudent first step when you are contacted by OCR may be to contact your legal counsel to assist in formulating your response. But under no circumstances should you make the same mistake as Cignet Health and ignore OCR investigations or requests for information.

Anyone can become the subject of an OCR investigation. However, your ultimate goal should be to avoid enforcement actions and penalties. The best way to do that is to have a strong HIPAA compliance program in place, and to periodically review it to make sure it reflects changes in your organization, as well as changes in the law. Periodic compliance audits and retraining of your workforce are also an important part of maintaining a strong compliance program.