14 DAY TRIAL // The U.S. Department of Health and Human Services (HHS) has issued a $4.3 million fine for violations of the Health Insurance Portability and Accountability Act's (HIPAA) privacy provisitions.
This marks the first HIPAA civil penalty issued by the HHS since the act was passed in 1996 and is directed at a Maryland health plan and health care provider called Cignet.
HHS' Office for Civil Rights (OCR) began investigating Cignet back in 2008 after some of its patients complained about being refused access to their medical records.
Under the HIPAA Privacy Rule covered entities are required to provide copies of the medical records within 30 days (and a maximum of 60) since receiving the request.
According stipulations of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, failure to do so carries a penalty of $1.3 million.
But Cignet didn't only fail to provide patients with their medical records. It also refused to hand them over to OCR when being subpoenaed, forcing the HSS to obtain a court ruling.
This repeated refusal to comply with HSS investigations is a HIPAA violation and attracted an additional $3 million fine, raising the total penalty to $4.3 million.
OCR determined that Cignet violated the rights of 41 individuals, some of which informed the company of their intention to obtain health care services from physicians that weren't under its employment.
"Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements," said OCR Director Georgina Verdugo.
"The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules," she stressed.