HIPAA CMPs: What's the point?

Yesterday, the federales announced: HHS Imposes a $4.3 Million Civil Money Penalty for Violations of the HIPAA Privacy Rule.  The OCR Notice of Final Determination was issued to Cignet Health of Maryland, a health plan that had not responded to members' requests for records, had not responded to OCR's requests for records once compaints had been filed with OCR, had not responded to a subpoena, and did not even bother to defend itself in federal court when OCR filed for a court order to enforce the subpoena.  I've written about the rule that allows HHS to go for fines of up to $1.5 million per offense where the covered entity's noncompliance is willful.  This is the first example of that rule being tested to the max.

OK.  We get it.  The government is Very Serious about HIPAA and HITECH.  And We Should Be Too.

Now, some of you may wonder: What is Cignet Health and why would it not even respond to all of these requests, subpoenas and federal complaints? 

Well, I wondered the same thing, and did a little digging.

Cignet Health, it turns out, has been offering health insurance (inexpensive health insurance, I might add) despite the fact that it is not licensed to do so by the State of Maryland.  It also offers health insurance overseas in the UK, in Ghana, and — I kid you not — Nigeria.  I have not looked into the overseas licenses.  Affiliates also include a medical group and a medical software company. 

The Maryland Insurance Commissioner issued a cease and desist order to Cignet to stop selling insurance without a license (after a complaint was filed about Cignet not paying claims), Cignet did not respond, and a default judgment was entered in the administrative matter against the company.  The final order against Cignet in the state insurance commissioner's matter was issued on October 25, 2010, just days after the OCR issued its Notice of Proposed Determination.  (The only individual named in the Maryland case had his license to practice medicine revoked in 2000 after being convicted in Federal court in New York in 1994 after trial on a 40-count indictment on mail and wire fraud charges in connection with a student loan scheme.  OCR addressed its letters to him, including an "M.D." after his name.)

The complaints and investigations being carried out at the state and federal levels were approximately concurrent.  While the details of the violations at the state and federal levels were different, at bottom this seems to be about an organization seeking to capitalize on a market opportunity without maintaining the level of compliance needed to function in a heavily regulated industry.  Either action may put the organization out of business, and the question arises: Do we want, or need, overlapping state and federal jurisdiction over matters such as these?  President Obama joked about the overlap in jurisdiction of federal agencies in his State of the Union address, and pledged to eliminate at least some of the overlap in Washington.  I'd be interested to hear about cases in which state attorneys general pursue HIPAA violations that the federales do not.  So far, I've heard only about cases pursued at both the state and federal levels, starting with the first one, the HIPAA HITECH case pursued by Connecticut AG Blumenthal, and the orders at the state and federal levels don't seem to require different actions by the subjects of the sanctions in terms of doing right by the individuals harmed.

In cases such as Cignet, it may be appropriate to have multiple attacks on wrongdoers — though it seems unlikely that the federales will ever collect the $4.3 million this time around.   So is this really a watershed moment for HIPAA HITECH enforcement, or a case of too little, too late?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting