For the nearly eight years since the HIPAA Privacy Rule went into effect in April 2003, the U.S. Department of Health and Human Services (HHS) did not impose a single civil monetary penalty for HIPAA violations. The story behind HHS’s first penalty — a whopping $4.3 million imposed on February 22, 2011, against Cignet Health of Prince George’s County, Maryland (“Cignet”) —is a playbook on how employers and health care providers should not address HIPAA compliance and should not respond to HIPAA complaints. The tale also provides significant insight into how HHS interprets its power under the HITECH Act to determine the amount of a penalty.

To read more about this important development, please visit Littler's Workplace Privacy Counsel blog.