HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



First civil money penalty for HIPAA Privacy Rule violations

Email This Post Print This Post

The Office for Civil Rights (OCR), HIPAA privacy and security enforcer, has issued its first civil money penalty to a covered entity for violations of the HIPAA Privacy Rule, according to a press release posted today on the Department of Health & Human services (HHS) website.

The OCR fined Cignet Health, of Prince George’s County, MD, $4.3 million for the violations, which also marks the first time federal regulators have used the new monetary penalty structure under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Cignet violated the rights of 41 patients when it denied them access to their medical records, which they requested between September 2008 and October 2009, according to HHS.

Further, Cignet did not respond to OCR’s demands to produce the records and did not cooperate with investigations.

When reached by phone Tuesday afternoon, a customer service representative from Cignet Health said Dr. Dan Austin, CEO, would handle requests from media. He was unavailable at the time, the representative said.

The health system has four locations in Southern Maryland.

The violations are considered “willful neglect”, and fall under the most egregious penalty scale under HITECH, according to Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA.

The penalty amount demonstrates the significance of “willful neglect” violations by entities who are “not actively trying to get into compliance and stay in compliance,” Herold says. Further, it shows the importance of having policies and procedures in place to follow during an OCR investigation.

“This should also serve as an example and provide good motivation for all covered entities and business associates to get into compliance, and maintain compliance, with HIPAA and HITECH,” Herold says. “[Privacy and security officers] need to show this news report to their CEOs and CFOs to prove that penalties not only can occur, but that they have now started, and with quite a big, financially painful bang.”

The patients who requested the medical records individually filed complaints with OCR, initiating the government’s investigations. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of his or her medical records within 30 days of the patient’s request, with one possible 30-day extension. Those violations cost Cignet Health $1.3 million. Failing to cooperate with the government investigation accounted for the other $3 million in fines. The penalties are based on amounts authorized by Section 13410(d) of HITECH.

Herold says she expects more patients and patients’ rights groups to submit complaints to OCR in hopes of the same result.

“Due to their apparent lack of compliance, as well as demonstrable arrogance with regard to dealing with the OCR investigators, Cignet now has the dubious honor of being the poster child for HIPAA/HITECH willful neglect,” Herold adds.

This isn’t the first HIPAA violation involving large fines. CVS Caremark Corp. reached a settlement of $2.25 million for potential HIPAA violations in February 2009, and Rite Aid Corporation in the same investigation settled for $1 million a year and a half later. In addition, Health Net, Inc. agreed to pay $250,000 to the state of Connecticut for HIPAA violations in 2010.

Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP, notes that OCR hasn’t handed out any “true fines,” rather just settlements, until now.

“It’s hard to know exactly what was going on at Cignet, but failing to cooperate with an OCR investigation, much less failing to directly address customer complaints that raise HIPAA issues, is just plain stupid,” Drummond says. “For some time now, many of us who follow HIPAA have been waiting for OCR to find a particularly egregious case and deliver a significant fine, so that some in the healthcare industry who have gotten lackadaisical about HIPAA compliance will sit up and take notice. This may just be the case.”

Read the Notice of Final Determination with Cignet Health.

Leave a Reply