Skip to content

HIPAA Hammer

February 25, 2011

This week, the Department of Health and Human Services announced that imposed a civil monetary penalty of $4.3 million on Cignet Health in Maryland when Cignet refused to allow 41 patients access to their medical records between September 2008 and October 2009.

When the patients were not allowed to access their medical records, they complained to the Office of Civil Rights and investigations were launched. The OCR imposed a $1.3 million civil penalty on Cignet for those violations. Cignet then refused to produce the records during the investigation and refused to produce the records in response to a subpoena. The OCR had to go to court and obtain a default judgment against Cignet requiring Cignet to turn over the records. Because of Cignet’s willful noncompliance with the OCR’s requests, another $3 million was added to the monetary penalties imposed on Cignet.

Keep in mind that HIPAA laws provide for both “required” and “permitted” disclosures of protected health information – which include a patient’s medical records.

With required disclosures, a covered entity must disclose protected health information to the requesting party. Under 45 CFR 164.502(a)(2), there are only two instances where disclosures are required: Written requests by a patient and requests by the Secretary of the Department of Health and Human Services to determine whether a covered entity is in compliance with the law.
There are multiple instances of permitted disclosures within the HIPAA statute contained at 45 CFR 164.512.

With permitted disclosures, a covered entity may choose whether or not to disclose the protected health information. In addition, with a permitted disclosure, the patient does not have to consent to release of the protected health information. Release in response to a court order is considered a “permitted disclosure”, which technically means that the covered entity can choose whether or not to disclose the information. However, keep in mind that there may be penalties for refusing to comply with a court order, so it may be in the covered entity’s best interests to “choose” to release the information in response to a court order.

Note that subpoenas are technically not court orders. Depending upon who has sent you a subpoena for your patient’s records and the circumstances behind that request, it may be wise to protect your patient’s interests by requesting either a written release from your patient or a court order delineating the scope of disclosure before you release the records.

Also note that if you do provide copies of medical records to any entity, you are entitled to a statutory fee for providing those copies. In Illinois, the fee changes every year. You can find the current statutory fees at the Illinois Comptroller’s web site. The 2011 rates are here.

See more information about this ruling against Cignet at the Department of Health and Human Services’ site here.
If you believe that your rights under HIPAA have been violated, you can file a complaint with the Office for Civil Rights at this link.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: