First HIPAA Civil Monetary Penalty Causes Concern
The big news in the health care privacy world is the imposition by the Health and Human Services (HHS) Office for Civil Rights (OCR) of the first civil monetary penalty for a violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. While this isn't the first overall HIPAA penalty, this is the first time that the full HIPAA enforcement process has been used to issue a penalty.
And it's a big one. HHS fined Cignet Health of Prince George's County, Maryland, $4.351 million for its violations of the Privacy Rule.
What does this all mean for covered entities, business associates and others interested in the HIPAA rules?
The Basic Facts
This penalty was issued pursuant to a fairly long enforcement process. The penalty is based on a series of violations related to the HIPAA access right-the right of individuals to obtain "access" to their medical records and other specific information. Forty-one individuals sought access to their records, beginning in late 2008. There is some indication in the HHS record that this series of requests was driven by an interest by some of the patients in moving to other doctors. It's unclear whether this contemplated movement was based on some kind of competitive issue or some other rationale that led directly to complaints being filed. Cignet failed to provide these individuals with access to their records-although OCR has provided no clear explanation of what Cignet did or did not do. From OCR's perspective, the violations started when access was denied, and continued, essentially indefinitely, until the records were provided. OCR applied the original HIPAA penalty structure, meaning that the penalties essentially were $100 per day for each requesting individual.
As was the norm when the investigation was conducted, OCR informed Cignet of the complaints that had been received (involving 38 individuals), and sought a response from Cignet. According to the HHS record, Cignet did not respond to OCR's written notification of the investigation, to numerous follow-up attempts to contact Cignet by telephone or to two subsequent letters (one from the Region III OCR manager and the other from the HHS General Counsel's Office), informing Cignet of its obligation under 45 C.F.R. § 164.524 to provide the individuals access to obtain a copy of the protected health information about them in the designated record sets (medical records) maintained by Cignet. Subsequently, OCR issued a subpoena duces tecum directing Cignet to produce specific medical records. Cignet failed to produce records in response to the subpoena, and did not respond to the subpoena in any other way. Cignet also failed to respond to follow-up letters and inquiries.
Later, OCR went to court to obtain Cignet's response. The Court issued an order for Cignet to show cause, but "Cignet did not appear at the hearing, did not respond to the petition and did not defend the action." Finally, after a default judgment was entered against Cignet, Cignet delivered 59 boxes of "original medical records" to the Department of Justice, including not only the records of the individuals who had sought access but also "the medical records of approximately 4,500 individuals for whom OCR made no request or demand and for whom Cignet had no basis for the disclosure of their protected health information to OCR."
OCR then offered Cignet multiple additional opportunities to address the complaints or otherwise respond to OCR's investigation. Cignet failed to respond to any of these additional opportunities, either. OCR then moved forward with the final enforcement action.
The Civil Monetary Penalty
Ultimately, the $4.351 million penalty was broken into two categories:
- Access violations
Cignet failed to provide HIPAA access rights to 41 individuals. There is a separate violation for each individual, and each day that the individual was not provided access is a separate violation.
- Failure to cooperate with an investigation
OCR also assessed a penalty related to Cignet's failure to cooperate with the investigation. This failure to cooperate-aside from being almost astonishing-constitutes a separate violation of the HIPAA rules. According to OCR, the failure to cooperate with the investigation of each complaint constituted a separate violation, and each day that the violation continued constituted a separate violation. These violations were due to Cignet's "willful neglect" of its obligation to cooperate, which means a "conscious, intentional failure or reckless indifference to the obligation to comply."
Based on these findings, OCR penalized Cignet $1.351 million for the underlying HIPAA violations, and an additional $3 million for its failure to cooperate with the investigation.
What Does This All Mean?
Does this signal a new era of HIPAA enforcement by OCR? Many in the health care privacy field have been expecting a new enforcement approach, going back to the start of the Obama Administration and encouraged by the new enforcement tools provided by the Health Information Technology for Economic and Clinical Health (HITECH) Act. But this hasn't happened yet.
While it is tempting to look at this Cignet result-particularly the large penalty number-and say that we expect a new era starting now, the details of the case do not lead reasonably or directly to this conclusion. Obviously, the target of this penalty is a company that essentially disregarded its HIPAA obligations and then ignored multiple efforts by the government to obtain information. Then, the one time it did respond, Cignet violated the HIPAA rules again by disclosing an astonishing amount of unrelated protected information. So, it is hard to imagine worse covered-entity behavior in the face of an OCR investigation. Like the first HIPAA criminal case, where an individual who worked at a hospice stole information from dying patients and used the information to set up fake credit cards, the logical advice is simple-Don't do that.
So while it certainly is possible that we will see this case as the start of a more aggressive enforcement program, there is really nothing to base that on. This was a company acting badly-really badly-in ways that virtually no responsible company would act, even one that broke the HIPAA rules.
Does this mean that there are no lessons to be learned here? No. Companies clearly need to focus attention on cooperating with and responding to government investigations. HHS gave Cignet multiple chances to respond and address the complaints. This seems to mean that, rather than ushering in a new era, HHS still intends to allow companies to address complaints and resolve problems rather than moving quickly to punishment. There is nothing-even about the Cignet result-that indicates HHS will be acting any way other than carefully and deliberately.
So while we may look back on this as the start of a new era, it is more likely that this will be an outlier, and that it will serve simply as a reminder to companies about the importance of cooperating with government investigations, even when you have done something wrong. It doesn't mean that companies shouldn't take their HIPAA responsibilities seriously-they should, and this includes all of the changes flowing from the upcoming HITECH rules. But the Cignet case shouldn't lead to panic, and should encourage companies to act reasonably and responsibly, both in developing appropriate HIPAA compliance policies and in responding to government investigations.