Last week, the U.S. Department of Health and Human Services’ ("HHS") Office for Civil Rights has imposed a $4.3 million civil money penalty on Cignet Health of Prince George’s County, Md., (Cignet) for violations of the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). This marks the first time that HHS has used its authority to impose civil money penalties for violations of the HIPAA Privacy Rule by covered entities.

Interestingly, the violations of the Privacy Rule for which the penalty was imposed related not to breaches of information privacy but to Cignet's failure to provide patients with access to their medical records when requested. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. Of the $4.3 million penalty, HHS stated that $1.3 million was due to Cignet's failure to provide the records to patients. The additional $3 million was imposed as a result of Cigna's failure to cooperate with the HHS investigation.

While the facts of this particular case were extreme (Cignet refused to respond to HHS's demands until HHS obtained a default judgment in federal district court to enforce its subpoena), HHS's actions serve as a reminder to covered entities that they need to adhere closely to all of HIPAA's requirements