$4.3 Million HIPAA Penalty Shows OCR Serious About HIPAA Enforcement

Updated: February 22, 2011

The first CMP ever assessed by OCR under the HIPAA Privacy Rule, the Cignet CMP assessment announced February 22, 2011 is the latest in a series of developments documenting the rising risks that health care providers, health plans, health care clearinghouses and their business associates ("covered entities") face for violations of HIPAA. Covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to mitigate against exposures in light of recently tightened requirements and new enforcement risks.

HIPAA Privacy Rule restricts the use, access and disclosure by covered entities of PHI and other individually identifiable health care information to those outlined within the Rules. Under HIPAA covered entities also are responsible for establishing and enforcing policies and procedures that safeguard PHI against improper use, access or disclosure by employees, business associates, and other third parties. Noncompliance with the Privacy and Security Rules exposes a covered entity to criminal prosecution and penalties, civil penalties or both. The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal.

In an Oct. 20, 2010 Notice of Proposed Determination, OCR found Cignet violated 41 patients' HIPAA rights and committed other HIPAA violations. The Notice of Final Determination (Final Determination) assessing the $4.3 million CMP against Cignet announced February 22, 2011 applies the expanded HIPAA violation categories and increased HIPAA civil monetary penalty amounts authorized by HIPAA amendments made by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Read more details.

Even before the announcement of the Cignet CMP, the HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. As of January 1, 2011, OCR reports that 12,781 of the cases it has investigated have been resolved by requiring changes in privacy practices and other corrective actions by the covered entities and has referred more than 484 Privacy Rule breach investigations to the Department of Justice for consideration for potential criminal prosecution. The Department of Justice has secured several criminal convictions or pleas under HIPAA's criminal provisions. OCR data confirms that the covered entities involved in these actions included health care providers, health plans, and others.

While OCR had not assessed any civil monetary penalties against any covered entity for violation of HIPAA before Cignet, OCR's collection of $2.25 million from CVS Pharmacy, Inc. under a 2009 Resolution Agreement and $100,000 from Providence Health & Services under a 2008 Resolution Agreement demonstrated the willingness of OCR to pursue significant civil remedies against covered entities that it determined willfully violated the Privacy Rules. A subsequent settlement with Rite Aid in 2010 showed OCR's continued efforts to uses Resolution Agreements when possible to remedy breaches.

OCR's February 18, 2009 announcement of the CVS Resolution Agreement came just one day after President Obama signed into law the HITECH Act amendments to HIPAA. Among other things, the HITECH Act amended HIPAA to modify and expand the HIPAA audit obligations of OCR, amend and expand the potential penalties, make business associates liable for violation of the privacy rules like covered entities, to require covered entities and business associates to provide notification of breaches of unsecured PHI and to tighten other HIPAA obligations. The HITECH Act amendments also impose new obligations on OCR to audit and enforce HIPAA compliance and empower state attorneys' general to bring civil lawsuits against covered entities and business associates that commit HIPAA violations that injure citizens in their state under certain circumstances.

Featured Research
  • Best ERP Features and Benefits for Your Business

    Are you considering investing in ERP software for the first time? Or maybe you already have an ERP solution but you’re worried it’s becoming dated. If either of the above apply to you, read our latest guide on the top ERP features and benefits based on the size of your business. You may be surprised at how versatile and cost-effective it is becoming - regardless of if you own a small business or run a large enterprise. more

  • 9 Spooky Signs You Need a Contact Center Upgrade

    When was the last time you evaluated the performance of your current contact center and the software you are using? The results may be frightening! If it’s been awhile since you invested in contact center software, there is a good chance that your needs have changed or that there are better options available now. Fortunately, it’s relatively easy to determine if you need an upgrade or not. more

  • 7 Ways the Wrong Phone System Can Haunt Your Business

    The wrong phone system could be haunting your business - and we’re talking about problems more serious than ghosts and ghouls. From increased costs to issues with scaling, we’ve identified seven important ways that a less than ideal phone system could be holding you back. You’ll be surprised at how much of a difference this can make to your bottom line too. more

  • Ditch Your Fax Servers

    An in-house fax server gives an IT department centralized management and monitoring over the entire enterprise's faxing. This can help your company track usage and better maintain records for auditing and record keeping. However, there are serious drawbacks that come with utilizing an in-house fax server solution and these range from security to cost-prohibitive pricing. more

  • The IT Manager's Survival Guide

    As an IT manager, maintaining physical fax servers and infrastructure is not a high priority. However, fax capability remains a business need simply because chances are your industry is dependent on its security. What if there was a way to reduce the amount of time spent handling fax complaints and maintaining physical servers? And this way took into account security, cost savings, and freed up your IT resources. Would you be interested? more