Before the HITECH Act, enforcement of Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations was largely a complaint-driven process, the HHS Office of Civil Rights (OCR) was mainly concerned with promoting compliance by covered entities rather than penalizing them, and most investigations were resolved without significant penalties. This past year has been a year of increased enforcement under the HIPAA, a year in which we have witnessed the first jail sentence imposed for a HIPAA violation. Now, the OCR has issued its first civil money penalties for HIPAA violations.

On February 22, OCR issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the HIPAA Privacy Rule. HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule. The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. A copy of the Notice of Final Determination may be found at http://www.hhs.gov/ocr/privacy/hipaa/news/cignetnews.html.

The penalties derived from Cignet's failure to provide patients access to their records upon demand, and Cignet's failure to cooperate with OCR's investigations. Specifically, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means. OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million.

Although Cignet’s reported failure to cooperate likely contributed to the seriousness of the penalties, the lessons for other covered entities are broader than merely than emphasizing the importance of cooperation. The expansion of HIPAA enforcement tools available to the government under the HITECH Act, including significantly increased penalties, the ability of state attorneys general to bring HIPAA enforcement actions, and the potential for affected individuals to share in the penalties all set the stage for still more enforcement actions (including civil penalties like this) in the future.