Last week, the federal government fined Cignet Health (Maryland) $43 million for violating the privacy rights of 41 patients by denying them access to their medical records. The fine levied by the Department of Health and Human Services is the first under HIPAA’s privacy rule. The Department of Health and Human Services’ Office of Civil Rights determined that, between September 2008 and October 2009, Cignet Health violated patients’ rights by denying them access to their medical records. Cignet Health also repeatedly failed to cooperate with the investigation conducted by the Office of Civil Rights and did not comply with a subpoena for medical records issued by the Office of Civil Rights until ordered to do so by a federal judge in March 2010.
Separately, the federal government reached a $1M dollar settlement with Massachusetts General Hospital over potential violations of patient privacy laws when an employee lost patients records on local public transportation. The lost information concerned 192 patients in the hospital’s Infectious Disease Associates outpatient practice, including information pertaining to patients with HIV/AIDS. For 66 patients, the lost data included billing forms that recorded name, birth date, medical record number, health insurer and policy number and diagnosis.