On February 22, 2011, the United States Department of Health and Human Services Office for Civil Rights ("OCR") ordered Cignet Health of Prince George's County, Maryland, to pay a $4.3 million civil monetary penalty for violating the HIPAA privacy rule. While enforcement of the HIPAA security rule has been on the rise since the passage of the HITECH Act in February 2009, the Cignet ruling marks the first time the OCR has imposed a civil monetary penalty on a covered entity for violating the HIPAA privacy rule. Approximately $1.3 million of the civil monetary penalty imposed on Cignet stems from its violation of the privacy rule's requirement that covered entities provide patients with access to their medical records within 30 days, and no later than 60 days, of a request. According to the OCR, Cignet failed to meet this obligation with respect to 41 patients in October 2010. The remainder of the civil monetary penalty imposed on Cigent is attributable to Cignet's failure to cooperate in the OCR's investigation and refusal to produce records in response to a subpoena.
The Cignet ruling signals an increased interest by the federal government in using the increased civil monetary penalties included in the HITECH Act (up to $1.5 for repeated/uncorrected violations) to punish covered entities that violate the HIPAA privacy rule. In light of the heightened stakes associated with violations of the privacy rule, covered entities should take the following actions to avoid privacy rule missteps that could result in significant civil monetary penalties:
- Review their HIPAA privacy policies and procedures to ensure that obligations required pursuant to the HIPAA privacy rule are adequately addressed;
- Revisit processes that exist within the organization to ensure that obligations addressed in HIPAA privacy policies and procedures are actually being performed;
- Refresh and retrain employees on HIPAA requirements;
- Reinforce the importance of HIPAA compliance and the sizable risks of HIPAA violations related to non-compliance for the organization; and
- Remind the workforce of whom to approach internally with HIPAA questions.