Cignet Health Charged with HIPAA Violation
Violating 41 patients’ privacy rights will cost Cignet Health of Prince George’s County, Md. dearly, but not nearly as much as the price tag for not cooperating with the government. The insurer’s actions have resulted in the first civil money penalty (CMP) issued by the U.S. Department of Health and Human Services (HHS) for violating the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA). The initial violation will cost the insurer $1.3 million, but the price tag for failing to cooperate with Office for Civil Rights (OCR) investigations and demonstrating “willful neglect” to comply with the Privacy Rule will cost Cignet Health an additional $3 million.
OCR first sent Cignet Health a Notice of Proposed Determination Oct. 20, 2010, after 41 patients complained that they were denied access to their medical records. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of his or her medical records within 30 (and no later than 60) days of the patient’s request.
To make matters worse, Cignet Health reportedly refused to respond to OCR demands to produce the requested records. Cignet Health eventually produced the medical records to OCR, but not until after the agency filed a petition to enforce a subpoena for the records in the U.S. District Court.
“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”
HHS issued Cignet Health a Final Notice of Determination Feb. 4.
Learn more about HIPAA privacy on the HHS website.