First Civil Money Penalty issued for HIPAA Violations

In another round of “HIPAA enforcement is amping up and the penalties can be very costly” this week’s blog details another recent action taken by the US Department of Health &Human Services Office for Civil Rights.  A recent press release announced that the Organization issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule.

According to the press release, it was found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with Office for Civil Rights, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request.

The Office for Civil Rights also found that Cignet failed to cooperate with investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at

Setting up service with an on-site shredding service is a key component of ensuring top quality HIPAA compliance.  For more information, please visit

by Judith