Question: What do you do when a regulatory agency asks you to cooperate with its investigation of you?
Question: What do you do when a regulatory agency orders you to comply with the law?
Question: What do you do when a regulatory agency serves you with a subpoena?
Question: What do you do when you are served with a civil action to enforce the subpoena?
Cignet Health, a Maryland corporation, was hit today with the largest HIPAA fine levied to date– $4.3. It is alleged that it failed to respond to patient requests for copies of medical records. What is clear is that it did not cooperate with the OCR investigation, it did not respond to a subpoena and did not respond to a civil action filed against it to enforce the subpoena. It didn’t do anything. Why, I can’t fathom. Guesses are (1) panic, (2) bad legal advice or (3) fear that complying would result in OCR discovering something worse.
1) When you are notified of an investigation, speak to your in-house counsel. If you don’t have in-house counsel, speak to external counsel.
2) Cooperate. “Cooperate” doesn’t mean you have to give away the house. You can often negotiate the coverage of a subpoena. Ideally, if you have cooperated from the beginning, and preferably, have a good relationship with the regulator, it won’t get that far. And if you feel that strongly, you can always contest it, though you get more with honey than you do with vinegar.
3) Fess up. The cover-up (or otherwise not cooperating) will make things worse and perhaps result in a $4.3 fine.
None of this is rocket science. You haven’t learned anything that you didn’t already know. There are many fine attorneys that can guide you expertly through the process and provide you with good advice. They often have good relationships with the regulators themselves, which you can leverage. Bottom line: don’t panic and get some help.