Lessons Galore from Eye-Popping $4.3 Million HIPAA Penalty

By Philip L. Gordon

For the nearly eight years since the HIPAA Privacy Rule went into effect in April 2003, the U.S. Department of Health and Human Services (HHS) did not impose a single civil monetary penalty for HIPAA violations. The story behind HHS’s first penalty — a whopping $4.3 million imposed on February 22, 2011, against Cignet Health of Prince George’s County, Maryland (“Cignet”) —is a playbook on how employers and health care providers should not address HIPAA compliance and should not respond to HIPAA complaints. The tale also provides significant insight into how HHS interprets its power under the HITECH Act to determine the amount of a penalty.

According to HHS’ Notice of Proposed Determination (the “NPD”), to which Cignet did not respond, Cignet’s first mistake was its failure to respond to patients’ requests for access to their medical records. The HIPAA Privacy Rule establishes detailed procedures for handling access requests. The NPD does not identify the total number of patients whose requests went unanswered nor does it reveal why Cignet did not respond. The NPD does disclose that 41 patients filed complaints with HHS. The large number of complaints almost surely was a red flag for HHS.

Furthermore, the large number of complaints resulted in a substantial multiplier effect when HHS calculated the penalty of $1.3 million attributable to this aspect of Cignet’s non-compliance. More specifically, HHS found that each day of failing to respond to a request for access after the required time period had expired was a separate violation for each of the 41 complainants.

What are the take-aways here? First, although to date HHS’s enforcement efforts in the area of information security have received virtually all of the press attention, HHS takes seriously the obligation of covered entities to ensure that plan participants and patients are able to exercise their rights under HIPAA (consisting of the right to receive a notice of privacy practices, the right to access protected health information (PHI), the right to amend PHI, the right to an accounting of disclosures of PHI, the right to request restrictions on the use and disclosure of PHI, and the right to communicate by alternative means or in an alternative location). Second, employers and providers should have written policies and procedures in place so that employees responsible for implementing HIPAA know how to respond properly and in a timely manner to requests to exercise HIPAA rights. Finally, it is never too late to respond to a request. If, for some reason, a covered entity does not timely respond to a request to exercise HIPAA rights, the covered entity can “stop the running of the penalty meter” by responding to the request as promptly as possible.

As the NPD reveals, the lion's share of the penalty imposed on Cignet — $3 million to be precise — resulted from Cignet’s failure to cooperate in HHS’s investigation. HHS’s press release announcing the penalty emphasizes that Cignet did not respond to a letter demand for the complainants’ patient records, did not respond to a subpoena issued by HHS until after a court ordered Cignet to do so, and “made no effort to resolve the complaints through informal means.”

When calculating this portion of the penalty, HHS counted as a separate violation each day from the deadline in the letter demand for producing the complainants’ medical records until the day that Cignet produced the records in response to the court’s order. HHS then multiplied that penalty by 41 for each complainant.

In choosing to impose the maximum penalty of $50,000 per violation for conduct constituting “willful neglect,” HHS noted in the NPD that Cignet’s failure to produce the records sooner had interfered with some complainants’ ability to obtain health care and had forced HHS to seek a court order to obtain patient records that, under the HIPAA Privacy Rule, Cignet was required to produce within 30 days of the request. HHS also noted that Cignet had produced in response to the subpoena medical records of 4,500 patients whose information the agency had not even requested. But for the $1.5 million annual cap in the HITECH Act on penalties resulting from willful neglect, the penalty imposed on Cignet would have exceeded $150 million.

More lessons learned: HHS had not imposed any civil monetary penalties to date, in large part, because the agency has been willing to work with covered entities to resolve complaints informally. When responding to an inquiry from HHS, covered entities should carefully evaluate whether the complaint can be resolved informally. When informal resolution is not possible, covered entities need to carefully toe the line between respectful disagreement coupled with good faith participation in HHS’s formal dispute resolution process and “willful neglect,” i.e., a failure to respond to HHS’s lawful and reasonable demands. An incidental lesson learned from Cignet’s apparent production of every patient record in its possession in response to the subpoena for 41 patient files is the need to scrupulously safeguard the PHI of plan participants and patients whose information is not implicated by the investigation, even when producing PHI to HHS.

The penalty imposed on Cignet is a window into the “worst-case scenario” for covered entities responding to a HIPAA complaint. While the reasons for Cignet’s non-responsiveness remain unknown, the implications could not be more resounding.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.