The Department of Health and Human Services’ Office for Civil Rights has fined Cignet Health of Prince George’s County, Md., $4.3 million for multiple violations of the HIPAA privacy rule.

The fine is the first “civil money penalty” imposed on a health care organization under the privacy rule and the amount of the fine is based on increased penalty amounts authorized under the HITECH Act, according to OCR.

Other organizations have paid “resolution” fines that accompanied agreements to implement comprehensive, OCR-overseen corrective action plans. They include Rite Aid in July 2010 ($1 million), CVS/pharmacy in Feb. 2009 ($2.25 million) and Providence Health & Services in July 2008 ($100,000).

These organizations cooperated with OCR during its investigation of privacy violations. Cignet has not been cooperative and has not agreed to a corrective action plan and the fine reflects its stance, according to OCR.

Last October, OCR issued a Notice of Proposed Determination that found Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009.  These patients each filed complaints with OCR, initiating investigations of each complaint. The office fined Cignet $1.3 million for these violations.

In a statement, OCR explains the refusal of Cignet to cooperate, which resulted in additional fines totaling $3 million:

“During the investigations, Cignet refused to respond to OCR’s demands to produce the records.  Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena.  OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010.  On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

“OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.  Covered entities are required under law to cooperate with the Department’s investigations.”

The notices of proposed and final determination from OCR are available at


--Joseph Goedert


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access