Entity Hit with $4.3 Million Fine for HIPAA Violations
By: Justin Vaughn, M.Div, CPC
Director of Compliance

2/24/2011

For the first time ever, a civil monetary penalty has been assessed against a “covered entity” for violations of the HIPAA privacy rule.  The Office for Civil Rights (OCR), the enforcement agency for the Department of Health and Human Services as it concerns the HIPAA privacy standards, levied a fine of $4.3 million against Cignet Health of Prince George’s County, Md.  The fine was based on the entity’s failure to provide its patients access to their own medical records, as required by HIPAA regulations.

According to the OCR’s press release, 41 patients requested copies of their medical records, but were denied.  This resulted in the filing of patient complaints against Cignet with the OCR.  In its investigation, the government determined that Cignet not only rejected patient requests during a 13-month period, but refused to sufficiently cooperate with the ensuing OCR investigation.  As a result, the government utilized new powers granted under the Health Information Technology for Economic and Clinical Health (HITECH) Act to impose a $1.3 million fine for failure to provide medical records, as well as a $3 million fine for delaying a federal investigation. 

This latest federal action is yet another reminder that we are in a new era of enforcement.  Physician practices will have no choice but to ratchet up their compliance efforts in response.

The information presented herein reflects general information that is current as of the date it was first published.  In light of changes that may occur in the health care regulatory and compliance environments, the author's presentation of this information might become outdated.  Please check with your individual legal and/or compliance advisor(s) prior to taking any significant actions based upon the information and advice presented.