A Maryland health care facility was fined $4.3 million by the U.S. Department of Health and Human Services (HHS) for alleged HIPAA privacy violations. HHS’ action, announced Feb. 22, constitutes the first formal civil monetary penalty (CMP) imposed by the agency, and demonstrates the massive penalties that can result from the privacy penalty structure created by the 2009 HIPAA amendments.

The enforcement action against Cignet Health was triggered by complaints to HHS’ Office for Civil Rights (OCR) from 41 patients who alleged Cignet had denied them access to their own medical records, according to an HHS statement.

OCR ultimately found Cignet had violated HIPAA’s access requirements, and imposed $1.3 million in CMPs, but also tacked on $3 million for not cooperating with the investigation. Cignet allegedly ignored OCR’s demands to produce the records -- even in response to a subpoena -- for more than a year, until the agency went to court to enforce the subpoena and obtained a default judgment.

The penalties reflect OCR’s finding that Cignet failed to cooperate “on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule,” the agency stated. “The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.”

The access requests at issue began in August 2008. By September 2009, 38 complaints had been filed with OCR (regarding 41 individuals), alleging Cignet failed to provide them access to their own protected health information within 60 days, as HIPAA requires. When OCR notified Cignet of its investigation, the clinic simply did not respond -- to the initial notifications or to follow-up letters and phone calls -- the agency would allege. When Cignet finally produced the records, they were in a box with those of about 4,500 other patients “for whom OCR made no request or demand and for whom Cignet had no basis for the disclosure” of their PHI, according to OCR’s proposed penalty determination.

In calculating the CMP, OCR counted each day that each individual was denied access (beyond 60 days) as a separate violation. By imposing a $100 penalty for each such violation (until April 7, 2010), OCR arrived at a total of $1,351,600. Because OCR found Cignet’s failure to cooperate involved “willful neglect,” the agency assessed HITECH’s willful neglect minimum of $50,000 per day (for 27 separate complaints), up to the annual maximum of $1.5 million for calendar years 2009 and 2010.

The full text of OCR’s proposed and final penalty orders is available on the agency’s website at http://www.hhs.gov/ocr/privacy/hipaa/news/cignetnews.html.