Earlier today the Department of Health and Human Services’ (HHS), Office for Civil Rights (OCR) announced the imposition of the first ever civil money penalty for violations of the HIPAA Privacy Rule. The penalty – which is $4.3 million – was assessed against Cignet Health of Prince Georges County, a health insurer. The underlying HIPAA violations include (1) failing to provide patients with access to their medical records, and (2) failing to cooperate with OCR’s investigation into the failure to provide access. The HHS press release is available here.

To discuss this or any other HIPAA or data privacy/security issue, please contact Mark S. Melodia or Gina M. Cavalier.