HHS levies first fines under HIPAA privacy rule

HHS fined Cignet $1.3 million for violating patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. The HIPAA privacy rule requires health care providers to supply a patient with a copy of his or her medical records within 30 days of the patient’s request.

In addition, the department fined Cignet another $3 million for failing to respond to requests by the HHS’s Office of Civil Rights (OCR) to produce the records, cooperate with investigators, and turn over the records in response to a subpoena. The privacy rule requires health care providers to cooperate with HHS investigations.

Detailed records of these violations were provided in a Notice of Proposed Determination sent to Cignet on Oct. 20, 2010.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements”, said OCR director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

What’s Hot on Infosecurity Magazine?