The Department of Health & Human Services (HHS) Office of Civil Rights (OCR) has issued a notice of final determination concluding that Cignet Health of Prince George's County, Maryland (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS has imposed a civil monetary penalty of $4.3 million for the violations. OCR determined that in October 2010, Cignet violated the rights of 41 patients by denying them access to their medical records when requested. The HIPAA Privacy Rule requires covered entities to provide patients with their medical records no later than 60 days after a patient request. Additionally, OCR found that Cignet failed to cooperate in HHS's investigation and refused to produce records in response to an agency subpoena. According to OCR, Cignet was fine d $1.3 million for denying 41 patients access to their medical records between September 2008 and October 2009. The insurer was fined another $3 million for failing to cooperate with the OCR investigation. The agency indicates that this is the first time federal officials have imposed a civil penalty for violations of the HIPAA privacy rule since it went into effect in 2003. For more information, please click here and here.