The U.S. Department of Health and Human Services has issued the first Civil Money Penalty (“CMP”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Office of Civil Rights (“OCR”) is responsible for investigation and enforcement of HIPAA complaints and recently fined Cignet Health to the tune of $4.3 million for failing to provide patients with medical records. Under HIPAA, a covered entity must provide a response to a patient who has requested copies of medical records within thirty (30) days and under no circumstances, after sixty (60) days. See 45 C.F.R. § 164.524 for more information. It appears forty one (41) individual patients filed complaints with the OCR against Cignet stating the company failed to provide copies in a timely fashion. Cignet’s delay lead to a substantial number of violations, as each day beyond the allowed time period constitutes a separate HIPAA violation.
Cignet also failed to comply with the OCR’s investigations. The OCR eventually filed an action in the United States District Court to enforce its subpoenas and a default judgment was entered against Cignet. Cignet then complied with the OCR’s efforts. However, in the process, the company provided a significant number of records for patients who did not request copies or file complaints with the OCR. This compounded Cignet’s difficulties because the company inadvertently disclosed protected information under HIPAA’s Privacy Rule.
Ultimately, the company was issued a combined CMP of $4.3 million. $1.3 million of the CMP related to Cignet’s failure to provide records within the allotted time frame. However, the bulk of the CMP, $3 million, pertained to Cignet’s failure to comply with OCR investigations and for “willfull neglect” in refusing to honor subpoenas.
A few critical lessons should be taken from Cignet’s misfortune. The first of which is, the OCR is now actively enforcing HIPAA requirements through CMPs. It appears the surest way to find oneself on the ugly end of things is to ignore an OCR investigation.
Secondly, covered entities should be careful to note that for each day over the allotted period, a new and distinct violation will accrue under the law. This, in turn, can lead to substantial CMPs.
Lastly, it would be wise to note that the Privacy Rule of HIPAA will be strictly enforced and inadvertent disclosures will not be ignored, even where the disclosure is to a federal entity. During the OCR investigation, Cignet failed to redact medical records for patients who were not included in the complaints and, even though these records were not disclosed to the general public, the OCR viewed the disclosures as violations.
OCR Director Georgina Verdugo warned, “The U.S. Department of Health and Human Services will continue to take action against those organizations that knowingly disregard their obligations under these rules.” It is now clear the OCR’s “actions” will include significant Civil Money Penalties.
Author: Kevin B. Elmore