The health care industry’s toothless tiger finally bared its teeth, as the U.S. Department of Health and Human Services issued a $4.3 m fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996.
The U.S. Department of Health and Human Services (HHS) issued a Notice of Final Determination to Cignet Health care of Temple Hills, Maryland on February 4. The notice followed a finding by HHS’s Office of Civil Rights that Cignet failed to provide 41 patients with copies of their medical records and for failing to respond to requests from HHS’s Office of Civil Rights for information related to the complaints.
A copy of a penalty notice against Cignet depicts a two year effort in which HHS struggled with what appears to be a dysfunctional Maryland provider unaware of the potential impact of HIPAA non compliance, and unwilling or unable to cooperate with HHS in any way.
Following patient complaints, repeated efforts by HHS to inquire about the missing health records were ignored by Cignet, as was a subpoena granted to HHS’s Office of Civil Rights ordering Cignet to produce the records or defend itself in any way. When the health care provider was ordered by a court to respond to the requests, it disgorged not just the patient records in question, but 59 boxes of original medical records to the U.S. Department of Justice, which included the records of 11 individuals listed in the Office of Civil Rights Subpoena, 30 other individuals who had complained about not receiving their medical records from Cignet, as well as records for 4,500 other individuals whose information was not requested by OCR.
In the end, HHS’s Office of Civil Rights found that Cignet showed “willful neglect of its obligation to comply with the requirement of the Privacy Rule and, in essence, threw the book at the Maryland provider.
HIPAA has been a force in the health care industry for more than a decade: forcing health care providers of all stripes to institute tighter controls over patient data. However, for years after its passage, HIPAA lacked strong language about enforcement and penalties for non compliance. That changed with the passage of the HITECH Act, part of the American Recovery and Reinvestment Act of 2009. That law strengthened privacy and information security provisions of HIPAA and expanded the list of entities covered by the law.