In case you missed the OCR announcement late yesterday afternoon, the Department of Health and Human Services announced that it was imposing a civil money penalty of $4.3 million dollars against Cignet Health for various violations of HIPAA. These penalties were based upon the violation categories and increased penalty amounts authorized by the HITECH Act; discussed further here. The violations stemmed in part from Cignet’s failure to provide 41 patients access to their own medical records as required under 45 C.F.R. § 164.524. In addition to the huge amount of the fine, according the HHS, this action marks the first civil money penalty issued by HHS for HIPAA Privacy Rule violations. This action could indicate a renewed push by HHS to enforce violations of HIPAA and utilize its heightened penalty schedule and enhanced enforcement powers provided under the HITECH Act. Could this be the new norm for HIPAA enforcement? Only time will tell.