skip to main content


First-Ever Civil Monetary Penalties Imposed for Violation of the HIPAA Privacy Rule

February 28, 2011

Last week, the Department of Health and Human Services Office of Civil Rights (“OCR”) imposed, for the first time, civil monetary penalties (“CMPs”) for violation of the HIPAA Privacy Rule. As discussed below, these enforcement actions may foreshadow a more vigorous approach to HIPAA enforcement by OCR.

I.      The Enforcement Actions.

$4.3 Million CMP.  On February 22, 2011, OCR announced the imposition of a $4.3 million CMP on Cignet Health of Prince George’s County, Maryland for two violations of HIPAA’s Privacy Rule.  The first violation, accounting for $1.3 million of the CMP, resulted from OCR’s finding that Cignet violated 41 patients’ rights by denying them timely access to their medical records.  OCR imposed the remaining $3 million of the CMP for Cignet’s failure to cooperate with OCR’s investigation, including Cignet’s refusal to respond to OCR’s demands to produce certain records.

$1 Million CMP.  On February 24, 2011, OCR announced the imposition of a $1 million CMP on Massachusetts General Hospital.  The penalty resulted from Massachusetts General’s failure to implement reasonable and appropriate safeguards to protect the privacy of protected health information (“PHI”) when removed from the hospital’s premises and the disclosure of PHI in violation of HIPAA.  The impermissible disclosure occurred when a hospital employee took certain patient scheduling and financial records home and accidently left the records on the subway.

II.     Lessons Learned.

In announcing these enforcement actions, OCR emphasized that the agency is serious about HIPAA enforcement and urged covered entities and business associates to adhere to HIPAA’s requirements. Moreover, OCR recently requested an additional 30 HIPAA dedicated staff members in its FY 2012 budget request, which may be additional evidence of a more serious approach to HIPAA enforcement.  In light of these events, covered entities and business associates should consider reviewing their HIPAA compliance programs and assessing the sufficiency of current policies and procedures.  HIPAA regulated entities should also recognize the importance of the following best practices:

  • Take HIPAA compliance seriously;

  • Make good faith cooperation with OCR a key component of your response strategy; and

  • Take immediate action to resolve all potential HIPAA violations.

Covered entities and business associates should also consider reviewing, or establishing, policies regarding removal of PHI from the premises, the protection of off-site PHI, and the maintenance of PHI on portable electronic devices.

If you have any questions regarding HIPAA compliance or enforcement, please contact a member of our Health Law Practice Group.

© Shipman & Goodwin LLP, 2019. All Rights Reserved.