The U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, MD (“Cignet”) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HHS imposed a civil money penalty (“CMP”) of $4.3 million for the violations, marking the first CMP issued by HHS for a covered entity’s violations of the HIPAA Privacy Rule. The CMP was imposed on February 22, 2011. The CMP was based on OCR’s finding that Cignet failed to provide access to medical records requested by patients and that Cignet failed to cooperate in OCR’s investigation of the matter.
Background on HIPAA’s “New Teeth” – CMP Changes
The CMP issued against Cignet is based in large part on the new violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Prior to HITECH, CMPs for violating HIPAA were $100 per violation, with a cap of $25,000 for all violations of an identical requirement or prohibition during a calendar year. These penalties did not apply if the violator did not know (or by exercising reasonable diligence would not have known) of the violation, or if the failure to comply was due to reasonable cause and was corrected within 30 days.
Effective February 18, 2009, however, HITECH eliminated those exceptions and established new minimum and maximum penalties for HIPAA violations. For the violations that occurred after February 18, 2009, Cignet faced the new and higher penalty structure with a maximum penalty of $50,000 per violation, with a cap of $1,500,000 for all violations of an identical requirement or prohibition during a calendar year. The new minimum CMPs are tiered, as follows:
–$100 per violation, with an annual cap of $25,000, for violations where the person did not know (and by exercising reasonable diligence would not have known) that such person committed a violation;
–$1,000 per violation, with an annual cap of $100,000, for violations due to reasonable cause and not to willful neglect;
–$10,000 per violation, with an annual cap of $250,000, for violations due to willful neglect that are corrected within 30 days of the date the person knows (or should have known) that the violation occurred; and
–$50,000 per violation, with an annual cap of $1,500,000 for violations due to willful neglect that are not corrected within the 30 day period.
What Lead to this CMP?
OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical record within 30 days (in some cases, 60 days) of the patient’s request. OCR imposed a penalty of $100 per day, per record, for each day Cignet failed to provide a patient access to their medical record, totaling a CMP of $1,351,600.
OCR also found that Cignet refused to cooperate in OCR’s investigation by failing respond to OCR’s demands for production of the records. Ultimately, OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, it is reported that Cignet produced the medical records, but otherwise made no efforts to resolve the complaints. For Cignet’s failure to cooperate, OCR imposed the highest penalty available under HITECH – $50,000 per day for each day Cignet willfully neglected to comply with each of OCR’s demands for production. These penalties reached the calendar year cap of $1,500,000 per year for 2009 and 2010, and as such, the CMP issued for these violations totaled $3,000,000.
Interestingly, OCR also noted that Cignet, when complying with the court order to turn over the medical records of the 41 individuals who had been denied access, also turned over medical information of approximately 4,500 other individuals. These records were unsolicited and OCR found there to be no basis for their disclosure. However, OCR did not base the CMPs on these disclosures.
Ultimately, the total CMP issued against Cignet for the failure to provide access and the failure to cooperate in an investigation was $4,351,600.
The Practical Take-Aways
–Covered entities should ensure they provide individuals with timely access to their medical records (and other designated record sets) and closely adhere to HIPAA’s other requirements relating to individual rights.
–If an investigation is initiated by OCR, covered entities and business associates should timely respond to investigation demands to avoid additional penalties and fines.
–This is just the beginning. HHS has stated it will continue to investigate and take action against those covered entities that knowingly disregard their obligations under the HIPAA Privacy and Security Rules.
OCR’s Notices of Proposed and Final Determinations in this case can be found here.
If you need additional information about this topic, please contact your regular Hall Render attorney or:
- Kendra Conover at (317) 977-1456 or kconover@wp.hallrender.com ;
- Elizabeth Kurt at(317) 338-3127 or ekurt@wp.hallrender.com ;
- Elizabeth Callahan-Morris at (248) 457-7854 or ecallahan@wp.hallrender.com
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
