Earlier this week, HHS announced that it had imposed fines of $4.3 million on Maryland based Cignet Health of Prince George’s County for violations of the HIPAA Privacy Rule.
In October, HHS released its Notice of Proposed Determination against Cignet. HHS found that Cignet had violated the rights of 41 patients when it denied them access to their medical records despite the HIPAA requirement that covered entities provide patients with copies of their medical records no later than 60 days from receipt of a request. The civil monetary penalty for this violation was $1.3 million.
HHS imposed an additional civil monetary penalty in the amount of $3 million on Cignet for failure "to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule." The Notice of Final Determination stated that Cignet failed to request a hearing to dispute or settle the fine amount. This fine is the first imposed against a healthcare provider under the Privacy Rule.
HHS also announced this week that it had reached a settlement with Massachusetts General Hospital for $1 million to settle potential Privacy Rule violations. Some privacy observers have taken these two actions as a warning that HHS is prepared to actively enforce HIPAA privacy protections.