HHS recently issued fines against two violators of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The first incident pertains to civil money penalties of $4.3 million issued against Cignet Health of Prince Georgeʼs County, Maryland. HHS fined Cignet $1.3 million for failure to provide patients with access to their medical records as required by the HIPAA Privacy Rule, and $3 million for failure to cooperate with the HHS Office for Civil Rights investigation. The Cignet fine marks the first time that HHS assessed civil money penalties against a covered entity for failure to comply with HIPAA. The violation categories and penalties are based on the increased authority granted under the Health Information Technology for Economic and Clinical Health Act (HITECH).

The second incident involved a resolution agreement between HHS and Massachusetts General Hospital (Mass General) for $1 million to settle potential violations of the HIPAA Privacy Rule. In this incident, an employee of Mass General lost protected health information (PHI) for 192 patients when the employee left the files on the subway while commuting to work. The settlement follows a probe by the HHS Office for Civil Rights that found that Mass General failed to implement “reasonable, appropriate safeguards to protect the privacy of PHI” removed from Mass Generalʼs premises and disclosed, potentially violating the HIPAA Privacy Rule.

The HIPAA Privacy Rule requires that a covered entity, upon patient request, provide the patient with a copy of their medical records within 30 days (and no later than 60 days) of the request.