Governance & Risk Management , Privacy
HIPAA Privacy Fine: $4.3 MillionClinics Failed to Provide Patients With Records Access
Cignet, a Christian-influenced medical service, operates four clinics in southern Maryland. The HITECH Act created higher fines for HIPAA violations, which were issued in this case.
"The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule," said HHS Secretary Kathleen Sebelius.
Two HIPAA FinesThe individuals affected filed records access complaints with the HHS' Office for Civil Rights between September 2008 and October 2009. The HIPAA privacy rule requires that a covered entity, such as a clinic or hospital, provide a patient with a copy of their records no later than 60 days after a request. HHS imposed a "civil monetary penalty" of $1.3 million for Cignet's violation of this requirement.
HHS explained in a statement that Cignet refused to respond to OCR's demands to produce the records and failed to cooperate with OCR's investigations of the complaints and produce the records in response to a subpoena. OCR filed a petition to enforce its subpoena in a U.S. District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means, HHS said.
Cignet failed to cooperate with OCR's investigations from March 2009 to April 2010, constituting willful neglect to comply with the HIPAA privacy rule, according to HHS. HIPAA covered entities are required under law to cooperate with the department's investigations. The fine for these violations was $3 million.
"Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records and adhere closely to all of HIPAA's requirements," said OCR Director Georgina Verdugo. OCR "will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules," she added.
Unlike the Cignet case, which involves a civil monetary penalty, several earlier HIPAA violation cases led to resolution agreements that included plans to take corrective action. For example, Rite Aid agreed to a $1 million settlement and a plan to take corrective steps after it was determined the chain was improperly disposing of prescription information.