HIPAA fine is a first
Cignet accused of denying patients access to records
Like a parent to a disobedient child, HHS last week delivered a harsher punishment to Cignet Health for failing to cooperate than for actually breaking the rules. For the first time, HHS issued a penalty for violating the Health Insurance Portability and Accountability Act’s privacy rule. The violator was Cignet Health, a Temple Hills, Md.-based company with a health plan and four physician offices, which HHS said violated 41 patients’ rights by denying them access to their medical records. Cignet Health did not respond to requests for comment.
Separately last week, HHS announced that Massachusetts General Hospital agreed to pay the federal government $1 million to settle potential HIPAA violations. At issue was the loss of protected health information, or PHI, of 192 patients of the Boston-based provider’s Infectious Disease Associates outpatient practice.
According to HHS, in March 2009, a Massachusetts General employee left documents on a subway train including a patient schedule with names and medical record numbers for 192 patients, as well as billing encounter forms with the name, date of birth, medical record number, health insurer and policy number, diagnosis, and name of providers for 66 of those patients. The documents were never recovered.
HIPAA’s privacy rule went into effect in 2003, requiring that health plans and providers take certain measures to protect the patient information they handle. Provisions of the American Recovery and Reinvestment Act extended the obligation to business associates of those covered entities.
As with the Massachusetts General resolution, the only previous payments extracted from enforcement actions under the rule were in the guise of resolution agreements with retail pharmacy chains CVS and Rite Aid, and the Oregon division of Providence Health & Services, a Seattle-based system.
Massachusetts General, which agreed to a corrective action plan, said in a statement that the hospital will issue new or revised policies with respect to physician removal and transport of protected health information from the hospital’s premises, laptop encryption and USB drive encryption. It will also provide mandatory training for all members of its workforce on the new policies.
But in the case of Cignet, the payment to the federal government will come in form of a fine, which HHS broke down to $1.3 million for violation of the HIPAA rule that requires a covered entity to provide patients with their medical records within 30 (and no later than 60) days; and $3 million for failing to cooperate with HHS’ Office for Civil Rights in its investigations on a continuing daily basis from March 17, 2009, to April 7, 2010.
“I don’t know of a situation where parties haven’t cooperated,” said Stephen Bernstein, a lawyer who leads the health industry practice group at McDermott, Will & Emery in Boston. “And my guess is that’s what upset OCR,” he added.
HHS said Cignet denied 41 patients access to their medical records requested between September 2008 and October 2009 and then refused to respond to investigators’ demands to produce the records. The government filed a petition in U.S. District Court to enforce a subpoena and obtained a default judgment against the company. “On April 7, 2010, Cignet produced the medical records, but otherwise made no efforts to resolve the complaints through informal means,” HHS said in a news release.
Trisha Torrey, who maintains information for the website of AdvoConnection, a group that provides patient-advocacy resources, said she was surprised HHS put some “teeth” into its enforcement, given that the rule has existed for years.
Bernstein said healthcare organizations should have policies and procedures in place to comply with the privacy rule, as well as state privacy laws, “So when OCR calls, you’re in a position to have a conversation that is cooperative, open and upfront.” He added later, “What’s curious to me is what would have happened if Cignet had cooperated.”