$4.3 Million Penalty for Violations of the HIPAA Privacy Rules

OCR found that Cignet violated the rights of 41 patients by denying them access to their medical records when requested. Several of these individuals informed Cignet that they were requesting copies of their medical records so they could obtain health care services from physicians other than those who were employed by Cignet. These individuals subsequently filed complaints with OCR, which prompted OCR to start an investigation of Cignet. OCR’s requests to Cignet for these medical records went unanswered until OCR’s subpoena was enforced by federal court. After the subpoena was enforced, Cignet delivered the medical records of the 41 patients, as well as the records for 4,500 other patients, but according to OCR, Cignet failed to respond to or otherwise cooperate with OCR thereafter.  

The HIPAA privacy rules also require covered entities to cooperate with investigations. OCR found that, under the privacy rules, the failure to cooperate with each complaint constituted a separate violation and each day the violation continued constituted a separate violation. OCR found that the failure to cooperate was due to Cignet’s willful neglect to comply with the privacy rules. OCR imposed an additional $3 million for this violation.

This penalty imposed on Cignet is the first instance OCR has imposed civil money penalties on a covered entity under the privacy rules. Although Cignet is a covered health care provider, the same rules and penalties would apply to employer-sponsored health plans. OCR has reached settlement agreements with other covered entities that did cooperate with its investigation, in which those entities had to pay amounts to OCR. Those amounts, however, were not considered civil money penalties.

Plan sponsors and other covered entities should ensure that they are ready to comply with the privacy rules and should cooperate with any OCR investigations.