The Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) became effective in April 2003 and only now, in 2011, is the HHS issuing its first first civil monetary penalty. HHS issued a Notice of Final Determination finding that Cignet Health of Prince George's County, Md., (Cignet) violated the Privacy Rule and imposed $4.3 million in penalties for the violations. The penalty amount is based on the increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients' rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient's request. The penalty for these violations is $1.3 million.