Leveraging the increased enforcement authority granted under the Health Information Technology for Economic and Clinical Health Act (“HITECH”), for the first time, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed a civil monetary penalty on a health care organization for violating the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. On February 22, 2011, OCR ordered Cignet Health to pay a $4.3 million penalty for failing to provide patients with copies of their medical records and refusing to cooperate in OCR’s investigation.
The Privacy Rule requires Covered Entities to provide patients with copies of their medical records within 30 to 60 days from the date of a request.1 Cignet failed to provide copies of medical records to 41 patients between August 2008 and October 2009. Cignet is a physician group that offers family practice and other services at four locations throughout Maryland. It also claims to offer health insurance through “Cignet Health Plan” though its licensure to operate as a health insurer has been questioned in the press.
Please see full publication below for more information.