The HHS Office for Civil Rights issued one more financial penalty for a HIPAA Right of Access violation. Essex Residential Care, LLC, also known as Hackensack Meridian Health, West Caldwell Care Center in New Jersey, was directed to pay a $100,000 civil monetary penalty to settle an alleged violation.
Hackensack Meridian Health manages skilled nursing facilities in New Jersey, which include the West Caldwell Care Center. In May 2020, OCR got a complaint from a male whose mother got treatment at West Caldwell Care Center. The son claimed that he was not given a copy of her mother’s medical records in 30 days as required by the HIPAA Privacy Rule.
The complainant is the patient’s personal representative and should have been given a copy of his mother’s healthcare records. The complainant initially sent an email requesting a copy of the medical records on April 19, 2020. On April 23, 2020, staff at West Caldwell Care Center informed him that the documents could not be given without presenting a copy of a medical proxy, a power of attorney, or an equivalent document signed by the mother, verifying that he was her personal representative.
The proper documentation was presented yet West Caldwell Care Center still failed to give the requested documents. So the son went to OCR and filed a complaint. On October 15, 2020, OCR informed West Caldwell Care Center about an investigation regarding the complaint and the communication included a request for the data.
West Caldwell Care Center acknowledged that no record was given within the permitted 30 days. However, in response to OCR’s investigation, the nursing facility sent the required medical records at the end of November. The complainant received the records on December 1, 2020, which is 161 days after the first request.
West Caldwell Care Center Contest OCR’s Result of the Investigation
Most HIPAA Right of Access investigations are casually resolved with OCR. The covered entity pays a financial penalty and concurs to take on a corrective action plan including changes to its guidelines and protocols and training on HIPAA awareness for employees. In this instance, West Caldwell Care Center’s lawyer did not agree with OCR’s recommended settlement of the investigation. OCR then informed West Caldwell Care Center that the investigation had discovered initial signs of non-compliance with the HIPAA Right of Access, and OCR gave West Caldwell Care Center the option to send proof of mitigating factors.
West Caldwell Care Center confirmed that it did not provide the complainant with the asked-for documents and made the following explanation:
- The records were given to the facility where his mother was relocated.
- West Caldwell Care Center explained that during the first request, there was an ongoing lawsuit because of the non-payment of health care expenses.
- West Caldwell Care Center was struggling with the COVID-19 pandemic at the time.
- When the complainant submitted a complaint with OCR, it was exactly 30 days after the requisition was first submitted to West Caldwell Care Center.
- West Caldwell Care Center acknowledged that the issue could have been dealt with differently.
West Caldwell Care Center Ordered to Pay $100,000 Civil Monetary Penalty
OCR established that West Caldwell Care Center did not give the required records in the 30 days permitted by the HIPAA Privacy Rule. The 161-day late provision of the medical records (from June 23, 2020, to December 1, 2020) violated the HIPAA Right of Access. The highest civil monetary penalty was $206,080 according to the set penalty tier; nevertheless, based on OCR’s reinterpretation of the HITECH Act and its Notice of Enforcement Discretion, the penalty was limited to $100,000.
West Caldwell Care Center contended that a civil monetary penalty wasn’t allowed since the violation was not because of wilful neglect and the violation was promptly corrected. Imposing a civil monetary penalty is arbitrary and capricious and violates the Administrative Procedure Act (APA). OCR does not agree that the violation was promptly corrected and stated the positive defense demands were not satisfied, that the penalty was right and fair because the violation didn’t defy the APA, and that the amount of civil penalty was fair considering the long delay in giving the requested medical documents.
West Caldwell Care Center stated its employees think they had reacted in the permitted period by sending the health records to the other facility. OCR’s point was that the personal representative did not receive the records as mandated by HIPAA. West Caldwell Care Center was informed of its right to ask for an administrative law judge hearing. The legal counsel of West Caldwell Care Center decided to waive that right.
A patient must have prompt access to medical records to avail of important medical care. The Office for Civil Rights continues to get complaints from folks and personal representatives of individuals who never get prompt access to their medical records. OCR will always strongly enforce this basic right to make sure healthcare facilities nationwide are HIPAA compliant.
This is OCR’s fourth financial penalty issued in 2024 related to alleged HIPAA violations. It is the 145th financial penalty thus far. OCR has already penalized 48 HIPAA-covered entities for not providing individuals or their personal representatives with prompt access to the required medical records that they are lawfully eligible to get.