For the first time, the federal government has imposed a civil money penalty (CMP) on a covered entity for a violation of the HIPAA privacy rule. The federal Centers for Medicare and Medicaid Services Office of Civil Rights (OCR) announced the final administrative action against Cignet on Feb. 22, 2011. $3 millions of the penalty was imposed for Cignet's failure to cooperate with the government's investigation. $1.35 million was imposed for failure to provide patients with access to their medical records, as required by the law. Because Cignet failed to request a hearing within the required timeframe, the CMP is not appealable. This case, which was based on patient complaints, demonstrates the government's commitment to enforcing HIPAA privacy rules.

The Cignet investigation began with a number of patient complaints filed with the federal OCR in spring of 2009, alleging that Cignet failed to provide individual patients with access to their patient records as required by HIPAA. OCR investigated the complaints and provided Cignet the opportunity for an informal resolution by producing the medical records within a set time frame. According to the OCR's findings of fact, Cignet failed to produce the records and, in fact, failed to respond to OCR's letters at all. OCR then issued a formal subpoena, to which there was no response. On March 30, 2010 the OCR petitioned the federal district court to enforce the subpoena. Cignet did not appear at the hearing or defend the action and the court granted a default judgment and directed Cignet to produce the records by April 7, 2010. On that date, Cignet produced 59 boxes of patient records which included not only the requested medical records, but also included records for 4,500 individuals that were not subject to the order and for which Cignet had "no basis for the disclosure" of those patient's records. Cignet failed to provide any defense or to respond to the OCR's formal communications. In determining the amount of the CMP, OCR considered a number of aggravating factors, including: (a) Cignet's failure to provide records hindered the patients' ability to obtain health care; and (b) Cignet's failure to respond caused the OCR to issue a subpoena and petition the court before Cignet provided the records.

Each individual patient complaint constitutes a separate violation and HIPAA imposes penalties for each day the violation continues. The OCR found that Cignet's failure to cooperate with the investigation constituted willful neglect (defined as the conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA).

To read the Determination Notices and the OCR's press release, visit: http://www.hhs.gov/ocr/privacy/hipaa/news/cignetnews.html