The First HIPAA Civil Monetary Penalty
Americans have a legal right to access their medical records under HIPAA, the nation’s foremost health care privacy law, but health care companies and providers don’t always honor patient requests for access. Throughout HIPAA's history, only a handful of health care companies have been publicly sanctioned for failing to comply with HIPAA privacy and patient access requirements. This week, however, the Dept. of Health and Human Services (HHS) Office of Civil Rights (OCR) sent a different message to health care companies and patients by levying the first civil monetary penalty for violations of the HIPAA Privacy Rule. It’s a big one too: $4.3 million in total.
Cignet Health of Prince George’s County, Maryland, refused the requests of 41 patients to gain access their medical records. HIPAA generally requires health care providers and health plans to give patients a copy of their medical records within 30 days of the patient’s request. These 41 patients complained to OCR individually over Cignet’s refusal, launching an OCR investigation. HIPAA also requires health care providers and plans to cooperate with HHS investigations, but Cignet made things worse for itself by refusing to turn over records in response to an OCR subpoena. Shockingly, this got Cignet nowhere. OCR obtained a default judgment against Cignet in district court to enforce the subpoena. In the end, OCR hit Cignet with a civil penalty of $1.3 million for failing to comply with patients’ right to access their medical records, and whopping additional $3 million for being difficult.
At least four takeaways emerge from this event. First, we are cautiously optimistic that OCR seems to be stepping up its enforcement of HIPAA. In the past two years, OCR has reached two large settlements with pharmacies over privacy violations –a million dollar settlement with Rite Aid pharmacy in July 2010, and a $2.25 million settlement with CVS Pharmacy in January 2009. This is long overdue – active enforcement of the law, particularly with respect to egregious violations, is critical to building public trust as the United States transitions to digital health records over the next few years.
Second: The right of consumers and patients to access copies of their health information should be inviolate, and this enforcement action makes that point loud and clear. Congress recently strengthened the right of patients to receive copies of their health data, yet Cignet turned scores of patients away when they requested access.
Third: Many entities covered by HIPAA take their obligations seriously, but clearly there are those who do not – and their actions erode the public's trust in the health care system as a whole. HIPAA is clear that covered entities must cooperate with government investigations into patient complaints, but Cignet forced OCR to go to court in order to obtain documents critical to investigating patient complaints. HIPAA also requires covered entities to implement reasonable security safeguards for patient information, but in the Rite Aid and CVS cases, both pharmacies tossed loads of patient records into dumpsters open and visible to the public.
Lastly, patients should not be shy about standing up for their rights. The Cignet penalty was the result of 41 individuals lodging complaints with OCR. While HHS and the Federal Trade Commission certainly don’t act on every consumer complaint, neither agency can respond to violations if they are never notified that violations have occurred. Privacy and access to medical records are fundamental to a trustworthy health care system, and patients play an important role in alerting the authorities when these rights are not being honored. CDT recently launched a web page for patients with information on getting their medical records, along with links to where patients can complain if their rights are violated.
Bringing health care into the digital age will only succeed if all health data holders are held accountable for complying with baseline privacy and security protections. OCR took a significant step forward yesterday in establishing this accountability, and we hope OCR maintains a tough stance on HIPAA enforcement in the future.