Foster Swift Employment, Labor & Benefits Quarterly
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently imposed a civil monetary penalty of just over $4.3 million against Cignet Health of Prince George’s County in Maryland (Cignet). Forty-one patients had filed complaints with OCR after being denied access to their medical records by Cignet. OCR investigated the matter and determined that Cignet had indeed violated the patients’ rights by denying them access to their medical records. The penalty for these violations was $1.3 million.
During the investigation, Cignet failed to respond to repeated informal demands from OCR to produce the records at issue. Cignet also failed to produce the records in response to an OCR subpoena. OCR eventually filed a petition to enforce its subpoena in federal court and obtained a default judgment against Cignet. Cignet then produced the records, but the damage had already been done. The OCR determined that Cignet’s failure to cooperate was due to willful neglect and fined Cignet an additional $3 million.
This was the first civil monetary penalty issued by OCR for a violation of the HIPAA privacy rule. Mere weeks after this penalty was issued, Massachusetts General Hospital (Mass General) signed a Resolution Agreement with OCR pursuant to which Mass General agreed to pay the federal government $1 million to settle potential HIPAA violations. These potential violations stemmed from the loss of protected health information when an employee, who was commuting to work, left 192 patient records that were never recovered on a train.
The government is clearly increasing its enforcement of the HIPAA privacy and security rules. Those organizations that are required to comply with HIPAA should review their policies and procedures to ensure that patient information is being adequately protected.
If you would like assistance in developing or updating your HIPAA policies and procedures, please contact Johanna Novak at 517.371.8231.