Cignet Fined $4.3 Million For Refusing Patient Access to Health Records

WASHINGTON—The first-ever civil fine for violating the privacy rule of the Health Insurance Portability and Accountability Act of 1996 has been assessed against Largo, Md.-based Cignet Health of Prince George’s County.

The U.S. Department of Health and Human Services imposed the $1.3 million fine Tuesday after determining that Cignet violated 41 patients’ rights by denying their requests to access their medical records.

The patients filed individual complaints with the Office of Civil Rights under the HIPAA privacy rule that requires covered entities to provide patients with copies of their medical records within 30 days and no later than 60 days after a patient’s request.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records, HHS said. In addition, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena.

In response, OCR filed a petition to enforce its subpoena in U.S. District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records, but otherwise made no efforts to resolve the complaints through informal means, according to HHS. Covered entities are required by law to cooperate with the agency’s investigations.

Because Cignet failed to cooperate with OCR’s investigations on a continuing basis between March 17, 2009, and April 7, 2010, HHS assessed an additional $3 million fine, bringing the total penalty against Cignet to $4.3 million.

Cignet could not be reached immediately for comment.

Although this was the first-ever civil fine assessed under HIPAA, HHS reached agreements with several other entities governed by the law that collectively total more than $4 million.

General Hospital Corp. and Massachusetts General Physicians Organization Inc., agreed Thursday to pay $1 million to settle potential HIPAA violations.

In July 2010, HHS reached a $1 million settlement over possible HIPAA violations with Rite Aid Corp. and its 40 affiliated entities.

And in November 2009, CVS Caremark Corp. agreed to pay $2.25 million for improperly disposing of patient records.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements, OCR Director Georgina Verdugo said in a statement. “The U.S. Department of Health and Human Services will continue to investigate and take action against these organizations that knowingly disregard their obligations under these rules.”