Share this article on:
Prince George’s County has been ordered to pay a $4.3 million fine after it was discovered that two hospitals run by Cignet Health had violated the HIPAA privacy Rule on 41 separate occasions, refusing to provide patients with a copy of their own medical records.
The Privacy Rule violations took place between September 2008 and October 2009. Requests can be made by patients under Privacy Rule provisions and healthcare providers must provide them with a copy of their records. All requests must be dealt with within 60 days, and while patients should not be charged for the service, healthcare providers can obtain funds from patients to cover the cost of supplying those records. Cignet did not provide information to any of those patients.
When patients were refused access to their records, a number filed complaints with the Office for Civil Rights; the Department of Health and Human Services’ HIPAA enforcer. The OCR investigates potential HIPAA violations and if it strongly suspects violations have occurred, the organization in question can be subjected to a full compliance review.
Cignet decided not to be particularly cooperative with OCR investigators and the OCR was required to have a subpoena issued in order to view its records.
First Civil Penalty for Privacy Rule Violations Issued
This is the first time the OCR has issued a penalty for violations of the Privacy Rule, but it is unlikely to be the last. In this instance the failure to provide information constituted willful neglect, and therefore attracted the highest possible penalty. Rachel Seeger of the OCR issued a statement saying that it was willful neglect of HIPAA rules that resulted in such a high fine. $3 of the settlement was due to that.
Cignet clearly did not want to go along with the investigation, and when eventually records were produced they were given to the Department of Justice. The 41 records were provided, but they were mixed in with some 4,500 others, which Cignet should not have disclosed to any individual.
Until this point, the OCR has preferred to develop action plans for organizations that have violated Privacy Rules. The aim is to improve the standards of privacy – and security – and to prevent HIPAA breaches from occurring in the future. When covered entities are cooperative and show a desire to correct policies and procedures quickly, and can demonstrate that they are making changes, the OCR is likely to be more lenient.