HHS imposes first civil money penalty for HIPAA violation

Cignet Health, a health care organization in Maryland, has been assessed a $4.3 million civil monetary penalty for violating HIPAA. Although the Department of Health & Human Services (HHS) has entered into financial settlements before, this marks the first time it has issued a civil money penalty under HIPAA, and the penalty is significantly higher than previous financial settlements.

Early HIPAA enforcement—voluntary compliance

The original version of HIPAA had what many considered to be rather weak penalties. Penalties were capped at $100 per day of violation and at $25,000 for the same violation in any one year. Also, HHS took a lot of criticism for its informal enforcement of the act. Although HHS would investigate every complaint that it received, it would seek voluntary, confidential compliance agreements from those who violated the law. From 2003 through 2007, HHS never sought any financial penalties from any violators. Moreover, there were almost no details available about HHS’s enforcement activity.

HHS steps up enforcement—enters into financial settlements

Responding to criticism that it wasn’t doing enough to enforce HIPAA, HHS finally entered into its first financial settlement in July of 2008. That case involved Providence Health, which over a seven month period had experienced four separate incidents of lost computers and another incident involving lost backup tapes and other storage media, thus compromising information on thousands of patients. In a resolution agreement, Providence Health agreed to pay a $100,000 financial settlement to HHS and to implement a corrective action plan.