On February 22, 2011, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed a $4.3-million civil monetary penalty against Cignet Health (Cignet), a covered entity, for violating the HIPAA Privacy Rule. This was the first civil monetary penalty ever issued by OCR for a covered entity's violation of the HIPAA Privacy Rule. Although there have been a number of settlements arising from alleged HIPAA violations, never before has OCR imposed a civil monetary penalty against a covered entity for violating the HIPAA Privacy Rule. The penalty against Cignet was based on the new violation categories and the increased penalty amounts authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR's action may foreshadow increased scrutiny and an invigorated willingness to assess significant penalties against covered entities for HIPAA violations.
The $4.3-million civil monetary penalty was triggered by Cignet's failure to provide access to the medical records of 41 patients, as well as its failure to adequately cooperate with OCR's investigation. Covered entities should examine their current HIPAA policies and practices — including their compliance program provisions for responding to requests for access to medical records — to verify that the entity's operations are current with the recent legal changes.
Patients' Rights Violations and Failure to Cooperate Lead to Civil Monetary Penalty
OCR imposed the civil monetary penalty against Cignet after finding that Cignet violated the rights of 41 patients by not providing the patients access to their medical records, between September 2008 and October 2009, despite the patients' requests for copies of their medical records. The patients individually filed complaints with OCR, initiating investigations of each complaint. Although there are certain exceptions, 45 C.F.R. section 164.524 generally requires that a covered entity provide a patient with a copy of his/her medical records within 30 days, and no later than 60 days, of the patient's request. OCR assessed a $1.3-million civil monetary penalty against Cignet for its violations of the HIPAA Privacy Rule.
OCR also assessed a $3-million civil monetary penalty on the grounds that Cignet failed to cooperate in OCR's investigation. Covered entities are legally required under 45 C.F.R. section 160.310(b) to cooperate with the government in such investigations. According to OCR's findings, Cignet failed to cooperate with OCR's investigations of the complaints, nor did Cignet produce the records in response to OCR's requests. Cignet eventually produced the medical records to OCR, but according to OCR, Cignet made no efforts to resolve informally the complaints with the patients or the government.
For violations of the HIPAA Privacy Rule, OCR is authorized to impose civil monetary penalties of up to $50,000 per violation, with a maximum amount of $1.5 million per year.
Practical Advice for Covered Entities
In light of OCR's landmark HIPAA penalty, here is some practical advice covered entities should consider.
- Covered entities must timely respond to patient requests for medical records and protected health information (PHI). The Privacy Rule requires covered entities to provide individuals with access to PHI contained in the individual's designated record set. Covered entities are permitted under HIPAA to charge cost-based reasonable fees for the preparation and production of these records. However, the covered entity must act on the request within 30 days, and no later than 60 days, of the patient's request. Covered entities also should check state laws, since HIPAA does not preempt more stringent state provisions.
- Covered entities should ensure their compliance program policies and procedures are current with the recent HIPAA developments and changes. The rules and regulations have undergone significant change as a result of amendments made by the HITECH Act. Although new proposed rules implementing the HITECH Act were published on July 14, 2011 (75 FR 40868), the final regulations have not yet been issued, but are expected to be released soon. Covered entities will need to review these regulations and comply with them once they are effective.
- Covered entities should verify their actual practices regarding HIPAA privacy and security match up with the expectations set forth in their written policies and procedures. Staff should be periodically trained and educated on relevant privacy requirements under federal and state law. The Notice of Privacy Practices should be current and accurate. In particular, the covered entity's process for security breach reporting should be ready and able to operate in the event of a breach.
- Covered entities should understand their obligations to cooperate with the government regarding HIPAA investigations. Responding to government HIPAA investigations and subpoenas requires a significantly different approach than what might be expected in a commercial litigation context. Covered entities are required by law to cooperate in such investigations.
Conclusion and Implications
OCR's penalty against Cignet may foreshadow more vigorous enforcement of the HIPAA privacy and security rules. Covered entities should examine their current HIPAA policies and practices — including their compliance program provisions for responding to requests for access to medical records — to verify that the entity's operations are current with the recent legal changes. For businesses subject to these rules, collaboration with skilled health care counsel is an important step in protecting against enforcement exposure and helping ensure compliance with HIPAA.
Access a copy of HHS' press release here: http://www.hhs.gov/news/press/2011pres/02/20110222a.html.
Access a copy of HHS' February 4, 2011 Notice of Final Determination here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltyletter.pdf.
Access a copy of HHS' October 20, 2010 Notice of Proposed Determination here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltynotice.pdf.