Health insurer fined $4.3M for HIPAA violation

The federal health department is slapping a Maryland health insurer with a $4.3 million civil money penalty (CMP) for violating medical records rules.

Cignet Health's failure to honor patients' requests for access to their medical records earned the Department of Health and Human Services’s first-ever CMP for a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule.

The fine represents the Obama administration’s toughened enforcement of medical privacy laws. The 2009 stimulus package, which provided almost $30 billion to develop electronic health record systems, included boosted penalties for HIPAA violations.

According to HHS’s Office for Civil Rights (OCR), Cignet was fined $1.3 million for denying 41 patients access to their medical records between September 2008 and October 2009. The insurer was fined another $3 million for failing to cooperate with the OCR investigation.

“Ensuring that Americans’ health information privacy is protected is vital to our healthcare system and a priority of this Administration,” HHS Secretary Kathleen Sebelius said in a statement. “[HHS] is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.”