HHS imposes a $4.3 million civil money penalty for violations of the HIPAA Privacy Rule
Last week, the U.S. Department of Health and Human Services’ ("HHS") Office for Civil Rights has imposed a $4.3 million civil money penalty on Cignet Health of Prince George’s County, Md., (Cignet) for violations of the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). This marks the first time that HHS has used its authority to impose civil money penalties for violations of the HIPAA Privacy Rule by covered entities.
Interestingly, the violations of the Privacy Rule for which the penalty was imposed related not to breaches of information privacy but to Cignet's failure to provide patients with access to their medical records when requested. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. Of the $4.3 million penalty, HHS stated that $1.3 million was due to Cignet's failure to provide the records to patients. The additional $3 million was imposed as a result of Cigna's failure to cooperate with the HHS investigation.
While the facts of this particular case were extreme (Cignet refused to respond to HHS's demands until HHS obtained a default judgment in federal district court to enforce its subpoena), HHS's actions serve as a reminder to covered entities that they need to adhere closely to all of HIPAA's requirements. If you have any questions about whether your HIPAA policies and procedures are up to date or HIPAA policy enforcement, please contact us.
In This Article
You May Also Like
Practical Steps to Achieve (PREP Act Statutory) Immunity for Those on the Front Lines of the Fight Against the COVID-19 Pandemic New HHS Rules Loosen the Stark and Anti-Kickback Reins on Health Care Providers and Suppliers