The HHS’ Office for Civil Rights has announced it has resolved 11 more cases involving violations of the HIPAA Right of Access. 10 of the cases were settled with OCR, and one Civil Monetary Penalty was imposed due to the lack of cooperation with OCR and the failure to provide the patient with the requested records.
Under the HIPAA Right of Access, individuals can obtain a copy of their healthcare information within 30 days of submitting a request to a healthcare provider or health plan, and can only be charged a reasonable, cost-based fee for obtaining their records. In limited situations, such as when the requested records are stored off-site, a HIPAA-covered entity may be granted a 30-day extension for providing the requested records.
OCR launched its HIPAA Right of Access enforcement initiative in late 2019 following multiple complaints from individuals who had not been provided with timely access to their medical records. Since the start of the enforcement initiative, OCR has fined 38 HIPAA-covered entities for failing to provide timely access to patient records for a reasonable, cost-based fee.
“It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino. “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”
HIPAA Right of Access Civil Monetary Penalty
Most cases involving HIPAA violations are settled with OCR, with the HIPAA-covered entity or business associate accepting no liability for the violation(s). When a HIPAA-regulated entity fails to cooperate with the investigation, does not resolve the alleged HIPAA violation, or disputes OCR’s findings, a civil monetary penalty will be imposed.
ACPM Podiatry in Illinois was determined to have failed to provide a former patient with his requested records. OCR provided technical assistance to ACPM confirming the records needed to be provided, then closed the case; however, a second complaint was filed with OCR by the patient when the requested records were still not provided after making multiple requests. OCR was informed that the records were not provided because there was an outstanding bill due to the patient’s insurance company not paying out. The patient said the records were required to appeal the non-payment with the insurance company.
OCR said ACPM did not respond to multiple data requests, the Letter of Opportunity that gave ACPM the opportunity to explain any mitigating factors, nor the Notice of Proposed Determination. OCR imposed a civil money penalty of $100,000. The records were not provided to the patient.
Settlements to Resolve HIPAA Right of Access Violations
10 HIPAA Right of Access cases were settled with OCR and involved fines and the adoption of a corrective action plan to ensure future compliance with the HIPAA Right of Access. Several factors are taken into consideration when determining the penalty amount, including the duration of the violation and the ability of the covered entity to pay the penalty.
Memorial Hermann Health System
Texas-based Memorial Hermann Health System (MHMS) failed to provide a patient with all the requested records, despite five requests between June 2019 and January 2020. The first written request was received by MHMS on July 3, 2019, but it took until March 26, 2021, for all the requested records to be provided – 564 days after the initial access request. The case was settled for $240,000.
Southwest Surgical Associates
Texas-based Southwest Surgical Associates (SWSA) was determined to have failed to provide a patient with her requested records for almost 13 months between February 11, 2020, and March 5, 2021. SWSA agreed to settle the case and paid a $65,000 financial penalty.
Hillcrest Nursing and Rehabilitation
Massachusetts-based Hillcrest Nursing and Rehabilitation failed to provide a parent with her son’s medical records, even though the woman was her son’s health care proxy. The records were requested on March 22, 2020, but were not provided until October 10, 2020. Hillcrest Nursing and Rehabilitation agreed to settle the case and paid a $55,000 financial penalty.
MelroseWakefield Healthcare
Massachusetts-based MelroseWakefield Healthcare (MWH) received a valid request from the personal representative of a patient for a copy of her mother’s medical records on June 12, 2020, but the records were not provided until October 20, 2020. MWH said access to the records was not provided on the mistaken basis that durable power of attorney did not allow for the provision of such medical records. The case was settled with OCR for $55,000.
Erie County Medical Center Corporation
Erie County Medical Center Corporation, which operates Erie County Medical Center (ECMC) in Buffalo, NY, failed to provide a patient with a complete copy of his medical records. The case was settled with OCR and a $50,000 financial penalty was paid to resolve the HIPAA violation.
Fallbrook Family Health Center
Nebraska-based Fallbrook Family Health Center was determined not to have provided timely access to a patient’s medical records. The case was settled with OCR and a $30,000 financial penalty was paid to resolve the HIPAA violation.
Associated Retina Specialists
New York-based Associated Retina Specialists (ARS) failed to provide a patient with the requested records for almost five months. The records were provided within 3 days of OCR initiating its compliance investigation. ARS settled the case with OCR and paid a $22,500 financial penalty.
Coastal Ear, Nose, and Throat
Florida-based Coastal Ear, Nose, and Throat (ENT) received a request from a patient on December 15, 2020, and January 8, 2021, but failed to provide the patient with access to the requested records until May 20, 2021. The case was settled with OCR and a $20,000 penalty was paid to resolve the HIPAA Right of Access violation.
Lawrence Bell, Jr., D.D.S.
Maryland-based Lawrence Bell, Jr., D.D.S., was determined to have failed to provide timely access to a patient’s medical records. The dental practice settled with OCR and paid a $5,000 financial penalty.
Danbury Psychiatric Consultants
Massachusetts-based Danbury Psychiatric Consultants received a request from a patient on March 24, 2020, for access to her medical records; however, the access was withheld due to an outstanding balance and requiring a signed request or authorization request. The records were not provided until September 14, 2020, after OCR initiated its investigation. The case was settled with OCR and a $3,500 financial penalty was paid.
