[ Tuesday, February 22, 2011 ]
Can You Hear Me Now? $4,300,000!!
OCR has issued a civil penalty
for a series of HIPAA violations
by Cignet Health of Maryland. Cignet apparently refused to turn over
protected health information to individuals when they requested it. 41 separate complaints came from 41 different individuals. More importantly, Cignet apparently completely failed to cooperate with OCR, and obstructed the investigations. OCR had to go to the Federal Court to get Cignet to respond to their subpoena for information. After taking a default judgment, Cignet surrendered the requested records, but did nothing to actually address the complaints.
This is the first ever civil penalty imposed by OCR under HIPAA, and it's obviously a monster. A few other entities have agreed to settlements, and some have been tagged by state Attorneys General for HIPAA violations (under HITECH's dispersal of power to enforce). And there have been some criminal violations. But OCR hasn't handed out any true fines until now. It's also useful to note that this fine takes advantage of the increased penalties under HITECH, particularly the multiplier for "willful neglect."
I don't know what the heck was going on at Cignet, but failing to cooperate with an OCR investigation (much less failing to address customer complaints that raise HIPAA issues) is staggeringly stupid. For years, I've been waiting and hoping that OCR would find the right case and spank somebody, so that it would shake some other healthcare industry participants out of their HIPAA stupor and encourage all to take a closer look at compliance. This may just do the trick.
In the immortal words of Keanu Reeves: "Whoa."
UPDATE: More here
. And here
UPDATE II: still more reaction here
Jeff [2:17 PM]
Blogger: HIPAA Blog - Edit your Template