Senior Communications Manager
Kirk Nahra Discusses Civil Monetary Penalty Issued by HHS with BNA's Health Care Daily Report
Wiley Rein Health Care Practice co-chair Kirk Nahra commented on the penalty imposed by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) on a covered entity for violation of the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA). OCR has ordered that Cignet Health pay $4.3 million for its violation of HIPAA’s access requirements and its failure to cooperate with an HHS investigation. Industry experts say that the penalty is a signal that HHS is serious about using its expanded authority under the Health Information Technology for Economic and Clinical Health Act. Mr. Nahra said that “the amount of the penalty clearly provides a lesson for covered entities to learn with regard to taking investigations seriously.” He noted, however, that “the case may involve an ‘extreme’ situation in which the target of the investigation simply ignored the agency’s inquiries. It is too soon to tell whether the CMP represents a change in the enforcement climate surrounding the HIPAA rules.” Mr. Nahra explained that based on information from OCR, “it appears that Cignet did not respond to any attempt by the agency to obtain information about complaints that the company failed to honor patients’ requests for medical records.” That would be “extremely unusual,” Mr. Nahra noted. “Most targets of agency inquiries respond to HHS and try to fix the problem; generally, most people do not just ignore agency requests for information,” he said. Mr. Nahra added that he is curious “to see whether this case represents a fundamental change in HHS enforcement of the HIPAA rules. It may just be a onetime action involving a highly unusual reaction to an investigation.” “While this may turn out to be a signal of a more aggressive enforcement approach, it appears from the published documents that this is a situation where HHS is trying to make an example of an entity that did not take their HIPAA responsibilities seriously, and then essentially ignored the government’s efforts to investigate,” Mr. Nahra explained. The case “does provide covered entities with some useful information about how to respond to an HHS investigation—including the need to be responsive and cooperative,” he concluded.