Cignet Health’s Violation of HIPAA Privacy Rule Resulted in $4.3 Million Penalty
In its first civil monetary penalty issued for a covered entity’s violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the Department of Health and Human Services (HHS), through its Office of Civil Rights (OCR), imposed a $4.3 million penalty on Cignet Health of Prince George’s County, Maryland (Cignet) in its Notice of Final Determination. In the October 20, 2010 Notice of Proposed Determination, the OCR found that Cignet denied 41 patients access to their medical records when requested. Subject to certain exceptions, 45 CFR 164.524 provides that an individual has a right of access to inspect and obtain a copy of his/her protected health information in a designated record set no later than 30 days (60 days for information that is not maintained or accessible to the covered entity on-site) after the covered entity’s receipt of the request. Moreover, the OCR found that Cignet failed to cooperate with the OCR’s investigations and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.
For more information, please contact Abby Pendleton, Esq. or Jessica L. Gustafson, Esq. at (248) 996-8510 or (212) 734-0128 or visit the HIPAA specialty page on the HLP website.