Cignet Health First to be Fined Under HIPAA’s Civil Money Penalty

The U.S. Department of Health and Human Services has issued the first Civil Money Penalty (“CMP”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Office of Civil Rights (“OCR”) is responsible for investigation and enforcement of HIPAA complaints and recently fined Cignet Health to the tune of $4.3 million for failing to provide patients with medical records. Under HIPAA, a covered entity must provide a response to a patient who has requested copies of medical records within thirty (30) days and under no circumstances, after sixty (60) days. See 45 C.F.R. § 164.524 for more information. It appears forty one (41) individual patients filed complaints with the OCR against Cignet stating the company failed to provide copies in a timely fashion. Cignet’s delay lead to a substantial number of violations, as each day beyond the allowed time period constitutes a separate HIPAA violation.

Cignet also failed to comply with the OCR’s investigations. The OCR eventually filed an action in the United States District Court to enforce its subpoenas and a default judgment was entered against Cignet. Cignet then complied with the OCR’s efforts. However, in the process, the company provided a significant number of records for patients who did not request copies or file complaints with the OCR. This compounded Cignet’s difficulties because the company inadvertently disclosed protected information under HIPAA’s Privacy Rule.
Ultimately, the company was issued a combined CMP of $4.3 million. $1.3 million of the CMP related to Cignet’s failure to provide records within the allotted time frame. However, the bulk of the CMP, $3 million, pertained to Cignet’s failure to comply with OCR investigations and for “willfull neglect” in refusing to honor subpoenas.

A few critical lessons should be taken from Cignet’s misfortune. The first of which is, the OCR is now actively enforcing HIPAA requirements through CMPs. It appears the surest way to find oneself on the ugly end of things is to ignore an OCR investigation.

Secondly, covered entities should be careful to note that for each day over the allotted period, a new and distinct violation will accrue under the law. This, in turn, can lead to substantial CMPs.

Lastly, it would be wise to note that the Privacy Rule of HIPAA will be strictly enforced and inadvertent disclosures will not be ignored, even where the disclosure is to a federal entity. During the OCR investigation, Cignet failed to redact medical records for patients who were not included in the complaints and, even though these records were not disclosed to the general public, the OCR viewed the disclosures as violations.

OCR Director Georgina Verdugo warned, “The U.S. Department of Health and Human Services will continue to take action against those organizations that knowingly disregard their obligations under these rules.” It is now clear the OCR’s “actions” will include significant Civil Money Penalties.

Author: Kevin B. Elmore

3 responses

  1. Very interresting article. As a legal professional who frequently deals with healthcare providers, I have first-hand experience with their all-too-frequent misfeasance and malfeasance

  2. I find it particularly disturbing that Cignet continued its comedy of errors, when it produced records for non-requesting individuals. One would think that being under investigation would instigate a heightened attention to detail. But, I cannot say I am at all surprised.
    On another note, it is inspiring to know that the governmental entities, including the OCR, have finally decided to take action to punish and therefore prevent this kind of behavior. But, I am curious as to whether the aforementioned production of non-requesting individuals’ records had an effect on not only the amount of this landmark fine, but whether the fine would be levied at all.

  3. We have to be mindful of the costs that are associated with HIPAA compliance. A primary concern when the law was initially adopted, and one that continues today, is the expense associated with maintaining and tracking medical records. Long term compliance with HIPAA is not only expensive but also a major time drain for healthcare providers who are already busy complying with statutes, administrative codes, regulations, public policy and internal procedures. Certainly that doesn’t excuse “willful neglect” (the law is the law) but it definitely does not make things easier.

    This was really a test case and represents the first warning shot across the bow of the industry. Unfortunately for Cignet, it lost the right to appeal the decision by delaying its response and that warning shot ended up being a direct hit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: