While 30,000 health IT professionals enjoy tropical temperatures and magic kingdoms at the HIMSS 2011 conference in Orlando, Fla., one organization is facing the cold reality of having to pay for violating the Privacy Rule in the Health Insurance Portability and Accountability Act, also known as the HIPAA Privacy Rule. This week, Cignet Health of Prince George’s County in Maryland was fined $4.3 million by the Department of Health & Human Services (HHS). This is the first time the department has issued a civil money penalty (CMP) for a violation of the HIPAA Privacy Rule by a covered entity.
Though the phrase “violation of the HIPAA Privacy Rule” might conjure up images of sensitive patient medical records left unshredded in a city dumpster, Cignet in fact violated the rule by witholding information: denying 41 patients access to their medical records when requested. These patients filed individual complaints with the HHS Office for Civil Rights (OCR), which investigated each complaint.
Cignet’s failure to provide medical records to those 41 patients will cost the company $1.3 million. The company — which refused to respond to the OCR’s demands for the records — will pay an additional $3 million for failing to cooperate with the office’s investigations.
“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo in a press release. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules,” she added.
The $4.3 million CMP imposed by HHS is based on the larger penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health, or HITECH Act, which has made some significant changes to HIPAA compliance.