For the first time in its history, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has imposed a civil monetary penalty (“CMP”) on a “covered entity” for violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule. Specifically, in a Notice of Final Determination published on February 22, 2011, OCR found that Cignet Health of Prince George’s County, MD (“Cignet”) violated the HIPAA Privacy Rule, and that the violations warranted a CMP in the amount of $4.3 million.
According to OCR’s Notice, 41 Cignet patients had requested access to their medical records. Although the Privacy Rule requires a covered entity, such as Cignet to provide such access within 30 days, Cignet failed to do so, prompting OCR to investigate. According to OCR, Cignet failed to respond to OCR’s phone calls, letters and eventual subpoena. Moreover, after OCR filed a petition to enforce the subpoena in federal court, Cignet did not respond to the petition or otherwise defend the action. On April 7, 2010, following the federal court’s default judgment against Cignet, Cignet provided 59 boxes of medical records of the 41 individuals who had requested access, along with the medical records of 4,500 other individuals unrelated to the investigation.
In August 2010, OCR informed Cignet that its investigation indicated that Cignet failed to comply with the Privacy Rule and did not resolve the matter informally with OCR despite OCR’s efforts to do so. OCR also provided Cignet with the opportunity to submit mitigating evidence, affirmative defenses, or evidence as to why CMPs should be waived. According to OCR, Cignet again failed to respond.
Based on Cignet’s failure to provide access and its failure to cooperate with OCR’s investigation, OCR issued a Notice of Proposed Determination, and ultimately a Notice of Final Determination. The CMP for failing to provide access to records was more than $1.3 million, consisting of a $100 penalty for each violation (according to OCR’s calculations, a new violation occurred each day for each individual to whom Cignet denied access). In addition, and perhaps most significantly, the CMP for failing to cooperate with OCR’s investigation was $3 million, but would have been more but for the $1.5 million dollar per calendar year statutory cap. Similar to the way it calculated violations for failure to provide access, OCR considered a new violation to occur each day for each individual complaint where Cignet failed to cooperate with the investigation. Each new violation, however, was subject to a $50,000 penalty, the minimum penalty for violations due to willful neglect not corrected within 30 days of when the covered entity knew or should have known of the violation.
The big take away from this enforcement action is that OCR expects covered entities to cooperate with its investigations. Although the agency has publicly stated that it attempts to resolve matters informally, thereby obviating the needs for CMPs, OCR will, when necessary, take significant steps to enforce the HIPAA Privacy Rule. Covered entities that receive a letter request, a subpoena, or simply a phone call from OCR should consider the promptness and effectiveness with which they respond. Although OCR remained relatively quiet for many years, with the initiation of HIPAA Privacy and Security audits on the horizon, and the imposition of this first and material CMP, it is safe to assume that the enforcement landscape will never be the same.