Daily Dashboard

Advocates, Experts: Message of OCR’s First Civil Monetary Penalty Sends Message

February 23, 2011

By Jennifer L. Saunders

Privacy and patient rights experts are hailing the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announcement that it has imposed a civil monetary penalty of $4.3 million against Maryland-based Cignet Health for violations of the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA)--the first such penalty issued for HIPAA privacy violations.

In announcing the fine, HHS Secretary Kathleen Sebelius said, “Ensuring that Americans’ health information privacy is protected is vital to our healthcare system and a priority of this administration,” noting that HHS “is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.”

In its Notice of Final Determination, the OCR found that Cignet violated the rights of 41 patients when it denied them access to their medical records despite the HIPAA provision that covered entities provide patients with copies of their medical records no later than 60 days from receipt of a request.

The monetary penalty is based on investigations of those patients’ complaints, the OCR reports, and resulted in $1.3 million. However, the overall penalty was increased to $4.3 million because “Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means,” according to an OCR media release.

Kirk Nahra, CIPP, of Wiley Rein LLP discussed the implications of the decision with the Daily Dashboard.

“This is the biggest HIPAA enforcement action that has been taken to date and MAY signal a new enforcement approach. The underlying violations, related to access to medical records, seem relatively minor--or at least seem to be similar to complaints that have been lodged against other companies without previous penalties being issued. What seems to be different here is both the finding of ‘willful neglect’ on the original compliance steps and the apparent stonewall that was thrown up in the face of the investigation,” Nahra explained. “HHS has shown itself to be very reasonable in addressing its HIPAA investigations so far, but it’s clearly a really bad idea to ignore or not cooperate with an investigation.” 

Center for Democracy and Technology Health Privacy Project Director Deven McGraw said the OCR’s action sends a clear message.

“It’s a wakeup call for anybody who was being careless and assuming the agency was asleep behind the wheel,” she said. “I think it sends a very clear message that the OCR takes this problem very seriously…and will use its enforcement penalties to go after egregious HIPAA violations.”

Patient Privacy Rights Founder Dr. Deborah Peel welcomed the announcement, telling the Daily Dashboard that her organization is lauding the agency “for enforcing the new consumer privacy protections in HITECH. There is mass civil disobedience by industry; the health IT industry has totally ignored this requirement of both HIPAA and HITECH. Fines are needed to make industry comply with the law and with new patient protections and rights.”

Both Peel and McGraw discussed the importance of patients to have access to their records.

“Not being able to get an electronic copy or any copy of health records is a key complaint of patients and absolutely essential for patient safety,” Peel said. “The person with the greatest interest in the accuracy of health data is the patient. Errors, omissions or someone else’s data--as the result of medical identity theft--can cause patients to receive incorrect treatment or even life-threatening treatment.”

OCR Director Georgina Verdugo issued a statement noting, “Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records and adhere closely to all of HIPAA’s requirements” and stressed that HHS “will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

“It’s welcome news for privacy advocates to see the OCR using its monetary penalties,” McGraw said.

Going forward, Nahra said, “We'll have to watch whether this is simply an aggressive action against a bad actor who responded badly to the investigation or represents a broader change in enforcement approach.”