Health and Human Services' (HHS) Office for Civil Rights (OCR) has sent a strong message about its commitment to enforcement of the HIPAA Privacy and Security Rules by announcing two HIPAA Privacy Rule enforcements within one week, one of which includes the first ever use of civil monetary penalties for a HIPAA Privacy Rule violation.

Cignet Health of Prince George's County

HHS issued a Notice of Final Determination, finding that Cignet Health of Prince George's County, MD violated the Privacy Rule, imposing a civil money penalty of $4,351,600 for the violations. The penalty was based on the increased penalty amounts authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act (ARRA), better known as the stimulus package. OCR found that Cignet violated 41 patients' rights by denying them access to their medical records when requested. The patients had individually filed complaints with the OCR, which initiated the investigation....