On Tuesday, the HHS Office for Civil Rights announced that it has issued its first-ever civil penalty for HIPAA privacy rule violations, the Washington Post reports.
OCR fined Cignet Health -- a health center based in Maryland -- $4.3 million for failing to provide copies of medical records to 41 patients who requested them from September 2008 to October 2009 (Sun, Washington Post, 2/22).
The action marks the first instance where federal regulators have used the new monetary fine formula contained in the HITECH Act, part of the 2009 economic stimulus package (Nicastro, Healthleaders Media, 2/23).
Details of Violation
HIPAA requires records to be provided within 60 days of a request. After they did not receive the records they requested, the individuals filed complaints with OCR. The office investigated the case and determined that Cignet refused to provide the records, even after a federal subpoena was issued.
After a federal court in Maryland ordered the group to produce the records, Cignet delivered the records of the 41 patients to the Department of Justice, along with the records of about 4,500 more patients for whom Cignet had no authority to disclose information (Washington Post, 2/22).
A majority of the fine -- $3 million -- stemmed from Cignet's refusal to comply with demands from federal investigators (Daly, Modern Healthcare, 2/22). The remaining $1.3 million of the fine was related to Cignet's failure to provide individuals with copies of their medical records within 30 days (Healthleaders Media, 2/23).
Enforcing Medical Privacy Rules
According to The Hill's "Healthwatch," the fine is an example of the Obama administration's ramped-up enforcement of medical privacy laws (Millman, "Healthwatch," The Hill, 2/22).