When earlier this year the Office of Civil Rights (OCR) hit Cignet Health with a $4.3 million civil penalty, it represented the opening volley in teethier enforcement of the HIPAA Privacy Rule under a new law that vastly increased the potential for fines.

Cignet received the first-ever civil penalty under 2009's Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorized greatly enlarged monetary fines and penalties. Whereas under 1996's Health Insurance Portability and Accountability Act (HIPAA), fines for violating the act's Privacy Rule were capped at $100 per violation with an annual maximum of $25,000, HITECH.upped the ante to a maximum of $50,000 per violation and a yearly total of $1.5 million.

So how did Cignet's penalty reach $4.3 million? The $2.8 million differential represents fines for failing to cooperate with the OCR investigation, which began when 41 patients filed complaints with the Office of Civil Rights that Cignet had not provided them access to their medical records in a timely fashion.

The HIPAA Privacy Rule protects individuals' personal health information (PHI) from being shared with those persons or entities that are not administratively or clinically responsible for them, but it also allows individual patients the right to view their files.

The Office of Civil Rights is located within the Department of Health and Human Services (HHS) and is charged with enforcing the HIPAA privacy rule. The HITECH schedule of fines can be applied only to violations that occur on or after the law's signing date of Feb. 18, 2009