On February 22, 2011, the Department of Health and Human Services Office of Civil Rights (OCR) released a Notice of Final Determination finding that Cignet Health (Cignet), a health system in Maryland, violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. OCR imposed a civil money penalty (CMP) of $4.3 million for the violations. The CMP is the first ever levied by OCR for a HIPAA violation and was authorized by the new penalty provisions in Health Information Technology for Economic and Clinical Health (HITECH) Act.

The Notice of Final Determination followed an October 20, 2010, Notice of Proposed Determination in which OCR alleged that Cignet violated the rights of 41 patients by denying them access to their medical records in 2008 and 2009. Under the patient rights provisions of the Privacy Rule, a covered entity such as Cignet must provide a patient with a copy of their medical records no later than 60 days from the patient’s request. According to OCR, many of the patients were requesting the copies so that they could obtain services from physicians outside of the Cignet system. The patients filed complaints with OCR, which initiated investigations of the complaints.

Cignet allegedly refused to cooperate in any way with the OCR investigation. The Notice of Proposed Determination identifies numerous instances in which Cignet ignored OCR’s requests for documents and failed to comply with an OCR subpoena. Cignet ultimately produced the records requested by OCR but did not take any other action to respond to the complaints or settle the matter. The $4.3 million CMP is composed of two parts: $1.3 million for the violations of patient rights, and $3 million for failure to comply with OCR’s investigation. The CMP was based in large part on the increased penalty provisions enacted as part of HITECH. The Notice of Final Determination and Notice of Proposed Determination are available for viewing here.1