HHS Issues First-Ever Civil Monetary Penalty For Md. Group's Violation of Privacy Rule

Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...

The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) Feb. 22 imposed its first-ever civil monetary penalty on a covered entity for violating the nearly eight-year old privacy rule of the Health Insurance Portability and Accountability Act (HIPAA), ordering Cignet Health of Prince George's County, Md., to pay $4.3 million.

The bulk of the penalty--$3 million--was assessed for Cignet's failure to cooperate with HHS's investigation, a move attorneys contacted by BNA said signals that the agency is serious about exercising its expanded enforcement authority under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Marcy Wilder, a partner at HoganLovells in Washington, told BNA Feb. 22 that when Congress enacted the HITECH Act, it sent a message to HHS to “get serious” about HIPAA enforcement. HHS's action against Cignet showed that it has, in fact, gotten the word, she said.

Wilder, a former deputy general counsel at HHS and the lead agency lawyer on the HIPAA rules, said the CMP assessed against Cignet “sends a message” to covered entities that they had better cooperate in investigations concerning violations of the privacy rule. The final determination should put covered entities on notice that they will be subject to severe penalties if they fail to answer agency queries, she said.

Kirk J. Nahra, a partner at Wiley Rein LLP in Washington, agreed that the amount of the penalty clearly provides a lesson for covered entities to learn with regard to taking investigations seriously. However, he said, the case may involve an “extreme” situation in which the target of the investigation simply ignored the agency's inquiries. It is too soon to tell whether the CMP represents a change in the enforcement climate surrounding the HIPAA rules, he said.

From the information provided by OCR, it appears that Cignet did not respond to any attempt by the agency to obtain information about complaints that the company failed to honor patients' requests for medical records, Nahra said. That would be “extremely unusual,” he said. Most targets of agency inquiries respond to HHS and try to fix the problem; generally, people do not just ignore agency requests for information, he added.

Privacy Rule Violations.

According to HHS's press release, OCR found in October 2010 that Cignet violated patients' rights by refusing them access to their medical records when requested. The HIPAA privacy rule requires covered entities to provide patients with their medical records within 30, but no later than 60, days from the date of a request. The agency assessed a $1.3 million CMP for these violations, in addition to the $3 million assessed for failing to cooperate with HHS's investigation, the agency said.

According to the release, the investigation began when a group of Cignet patients filed individual complaints with OCR. When the office requested the records, Cignet failed to respond. A subpoena met the same result, leading OCR to file a petition to enforce the subpoena in the U.S. District Court for the District of Maryland, United States v. Uplift Medical PC, D. Md., No. 10-59, filed 2/4/10. Cignet did not respond to the petition, and the court awarded HHS a default judgment April 1, 2010. Cignet subsequently produced the medical records, but otherwise made no effort to resolve the complaints through informal means, HHS said.

OCR also found that Cignet failed to cooperate with its investigation on a continuing daily basis during the period of March 17, 2009, to April 7, 2010. The agency said, “Cignet's failure to cooperate with OCR's investigation of each complaint constitute[d] a separate violation of [the privacy rule], and each day that the violation continued … counts as a separate violation.” Further, each “violation was due to Cignet's willful neglect of its obligation to comply” with the privacy rule, the release said. It noted that covered entities are required by law to cooperate with investigations.

OCR Director Georgina Verdugo said in the release: “Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA's requirements.” She stated that HHS “will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

HHS Secretary Kathleen Sebelius added that HHS “is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.”

Agency Notices.

OCR sent Cignet its Notice of Proposed Determination in October 2010. The document details the actions taken by OCR after it received numerous complaints from Cignet patients who had requested, and not received, access to their medical records.

According to the notice, OCR gave Cignet numerous opportunities to either provide the records to the patients or disclose the records to the agency. Cignet ignored all these opportunities and did not release the records until ordered to do so by the district court in April 2010. At that time, Cignet delivered 59 boxes of documents to OCR's Washington office. In the boxes were the medical records of 11 individuals named in the agency's subpoena, as well as those of an additional 30 individuals from whom the agency had received complaints. OCR said Cignet also provided the medical records of 4,500 individuals for whom OCR made no request and for whom Cignet had no basis for disclosure.

On Aug. 19, 2010, OCR wrote Cignet informing it that the agency had found preliminary indications of noncompliance and notifying it that Cignet could submit written evidence to support a waiver of CMP for violations that were due to reasonable cause and not willful neglect. Cignet did not respond, the agency said.

The agency concluded that Cignet was subject to CMPs for failing to provide access and for failing to cooperate with an investigation. The latter, it said, was due to Cignet's willful neglect of its obligation to cooperate, meaning that the provider demonstrated a “conscious, intentional failure or reckless indifference to the obligation to comply” with the rule.

The proposed notice also found that Cignet submitted no evidence of mitigating factors or affirmative defenses that would support a waiver of the CMP. The agency initially calculated the penalty for failure to cooperate based on a $50,000 per day penalty, which resulted in an amount well above the maximum $1.5 million per year. The $3 million CMP represented the maximum penalty for violations that occurred in 2009 and 2010.

The Notice of Final Determination, entered Feb. 4, noted that Cignet had failed to request a hearing on the notice of proposed disposition and findings of fact supporting the CMP. Because Cignet did not request a hearing, it said, the imposition of the CMP in excess of $4.3 million was final, and the provider had no right to appeal the penalty.

OCR also informed Cignet that, in the event of nonpayment, a civil action could be brought in U.S. district court to recover the sum.

'Sea Change?'

Nahra said he is curious to see whether this case represents a fundamental change in HHS enforcement of the HIPAA rules. It may just be a one-time-action involving a highly unusual reaction to an investigation, he said.

“While this may turn out to be a signal of a more aggressive enforcement approach,” Nahra said, “it appears from the published documents that this is a situation where HHS is trying to make an example of an entity that did not take their HIPAA responsibilities seriously, and then essentially ignored the government's efforts to investigate.”

He noted, however, that the case “does provide covered entities with some useful information about how to respond to an HHS investigation--including the need to be responsive and cooperative.”

Wilder, however, said the case could represent a “sea change” in the agency's enforcement practices. She noted that the case is not about a data breach or misuse of private health information--areas in which HHS has been more aggressive about enforcement in the past. Instead, this case is about a covered entity's failure to implement basic HIPAA privacy requirements and protecting basic individual rights--in particular, the right to access one's medical records.

Wilder noted that the HITECH Act made “very significant” changes with respect to enforcement of the HIPAA rules. Congress increased HHS's authority to impose CMPs for HIPAA violations and increased the amount of the penalty that could be imposed per violation, she said. The Cignet case is the first time HHS has used that enhanced authority.

The amount of the penalty was not surprising in light of Cignet's “profound” failure to cooperate, as documented in the notice of proposed determination, Wilder added. “HHS was concerned that Cignet's failure to provide patients with access to their medical records hindered the patients' ability to get health care they were seeking from non-Cignet physicians.” She said the “failure to cooperate, combined with Cignet's willful neglect of the privacy rule, led to the significant penalty.”

The amount sends a “very strong and serious message” to covered entities that violations of basic rights granted by HIPAA will not be tolerated, Wilder said.

By Mary Anne Pazanowski


Full text of HHS's Notice of Proposed Determination is available at http://op.bna.com/hl.nsf/r?Open=mapi-8ebssf. Full text of HHS's Notice of Final Determination is available at http://op.bna.com/hl.nsf/r?Open=mapi-8ebstc.