News and Insights
Visit regularly for up-to-date information on relevant news, firm announcements and additions to our AZ Health Law Blog.
OCR Imposes First CMP for HIPAA Violation
On February 4, 2011, over seven years since HIPAA became effective, the government has imposed the first civil penalty for a violation of the Privacy Rule. Cignet Health Center has been ordered to pay a $4.3 million penalty in response to Cignet’s failure to provide 41 individuals access to their medical records when requested in 2008 and 2009. HIPAA requires a covered entity to act on a request to an individual’s request for access to personal health records within 30 days after the request is made. 45 C.F.R. § 164.524. Cignet was fined $1.3 million for this violation; $100 per day for each violation. An additional $3 million fine was imposed because of Cignet’s “willful” failure to cooperate with the government’s investigation. Cignet initially did not respond to multiple inquiries from the government pursuant to its investigation. Further, when Cignet was compelled by subpoena to turn over the records it produced over 4,500 records that were not relevant to the case and were not requested by the government. These actions were considered aggravating factors in the determination of the fine.
Due to the unusual nature of development of this investigation, it remains to be seen if the imposition of this fine suggests a stronger regulatory stance from the government in regards to HIPAA violations. Cignet and its owners are all too familiar with the seriousness of health care regulations. The Washington Post reported that Daniel E. Austin, the owner of Cignet, had his license revoked in 200 for a conviction for mail and loan fraud. Additionally, while Cignet used to sell insurance, it had been ordered to cease doing so as it was selling the insurance without a license. Regardless of the reason for the fines, these are not the first millions that have been shed as the result of a HIPAA investigation. See the CVC and Mass General stories, for example. Massachusetts General Hospital settled potential HIPAA violations for a $1 million after losing the medical records of almost 200 people. The Cignet incident merely serves as another reminder that HIPAA investigations are no trifling matter.