Tuesday, February 22, 2011

OCR Imposes $4.3M Penalty for Violation of HIPAA/HITECH Privacy Rule

UNTIL TODAY, many health care providers questioned whether HHS and the Office of Civil Rights (OCR) would ever issue any significant penalties for violations of the HIPAA Privacy Rule. However, will OCR ever be able to collect the penalties.

Today, HHS Office of Civil Rights (OCR) announced a civil money penalty (CMP) of $4.3 million against Cignet Health of Prince George's County, MD for violating the HIPAA Privacy Rule. This is the first ever civil money penalty issued by OCR for a violation of the HIPAA Privacy Rule. It is significant not only because it is the first - but also because of the size of the penalty and the basis for the violation.

OCR issued a Notice of Final Determination on February 4, 2011, outlining the procedure for payment of the $4.3 million civil money penalty. The Notice of Final Determination also indicates that Cignet failed to request a hearing on the matter or reach settlement with OCR. Prior to the issuance of the final notice, OCR had issued a Notice of Proposed Determination on October 20, 2010, which details the basis for the penalty, details the findings of fact, grounds for violation of HIPAA, and calculation of the penalty amount.

The Notice of Proposed Determination indicates that Cignet violated HIPAA by failing to provide individuals access to their health information under 45 CFR 164.524 and failed to cooperate with an investigation under 45 CFR 160.310(b). The Notice states:
1. Failure to Provide Access (45 C.F.R. § 164.524). Cignet failed to provide 41 individuals listed in Attachment A timely access to obtain a copy of the protected health information about them in the designated record sets (medical records) maintained by Cignet. These failures constitute violations of 45 C.F.R. § 164.524. Cignet's failure to provide each individual with access constitutes a separate violation of 45 C.F.R. § 164.524, and each day that the violation continued (that is, from the date specified in column 5 of Attachment A until April 7,2010) counts as a separate violation of 45 C.F.R. § 164.524.

2. Failure to Cooperate with an Investigation (45 C.F.R. § I60.310(b)). Cignet failed to cooperate with OCR's investigation of 27 complaints regarding Cignet's noncompliance described in paragraph 1 above. These failures to cooperate with an investigation constitute violations of 45 C.F.R. § 160.310(b). Cignet's failure to cooperate with OCR's investigation of each complaint constitutes a separate violation of 45 C.F.R. § 160.310(b), and each day that the violation continued (that is, from the date specified in column 7 of Attachment A until April 7, 2010) counts as a separate violation of 45 C.F.R. § 160.310(b). Each violation of 45 C.F.R. § 160.310(b) was due to Cignet's willful neglect of its obligation to comply with 45 C.F.R. § 160.310(b). Willful neglect means the conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. See 45 C.F.R. § 160.401.
The press release issued by HHS points out that the HIPAA Privacy Rule requires that health care providers must provide a patient with access and/or copy of their health information within 30 days (and no later than 60) days after the patient requests such information. Further, the press release indicates that covered entities and business associates must uphold their responsibility to provide patients with access to their own health information.

Read the HHS Press Release and OCR Press Release. More details via the OCR's Resolution Agreement page. For more background on Cignet Health check out David Harlow's post at HealthBlawg, HIPAA CMP's: What's the point?