In case you thought that you didn’t need to pay much attention to complying with the HIPAA Privacy Rule, a Notice of Final Determination issued by the Office of Civil Rights (OCR) of the Department of Health and Human Services this month should get your attention. OCR has issued its first civil money penalty for a Privacy Rule violation. And, perhaps even more noteworthy is the fact that the penalty is in excess of $4.3 million!

According to OCR, the penalty has been imposed on Cignet Health, a health care company based in Maryland, for failing to provide patients with copies of the medical records on a time basis as required by HIPAA.