In the run-up to the HIPAA-HITECH final rule release due in March, the Office for Civil Rights (OCR) has handed down a large civil penalty for violations of the HIPAA Privacy Rule, which governs the administration of patient health care information.
Cignet Health of Maryland was fined $4.3 million dollars by the OCR for violations stemming from the company's denial of access to patient records in forty-one instances between 2008 and 2009.
The fine was determined by rules set forth under the HITECH act, a set of laws that work in conjunction with HIPAA statutes. A press release from the Department of Health and Human Services states:
"During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means."
The penalty is another sign that the OCR is taking its role as HIPAA/HITECH enforcer very seriously, and further actions are expected as patients and healthcare privacy advocates press for more enforcement in the wake of violations.
“This should also serve as an example and provide good motivation for all covered entities and business associates to get into compliance, and maintain compliance, with HIPAA and HITECH. [Privacy and security officers] need to show this news report to their CEOs and CFOs to prove that penalties not only can occur, but that they have now started, and with quite a big, financially painful bang," said privacy expert and Infosec Island contributor Rebecca Herold.
The severity of the penalty was likely due to Cignet's refusal to comply with OCR requests to provide access and the company's lack of cooperation with the investigation.
"Due to their apparent lack of compliance, as well as demonstrable arrogance with regard to dealing with the OCR investigators, Cignet now has the dubious honor of being the poster child for HIPAA/HITECH willful neglect..." Herold continued.
Herold was instrumental in the creation of the Compliance Helper platform, which provides security and privacy management and documentation for covered entities, as well as the means to effectively manage compliance monitoring of business associates.