Written in collaboration with Nathaly Tamayo, JD
Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced the resolution of five HIPAA Right of Access claims. In 2019, OCR publicized its new Right of Access enforcement initiative focusing on individuals’ right to receive timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.
Since announcing its initiative, OCR has resolved 25 Right of Access claims – more than any other category of HIPAA enforcement over that same period. For 2021, the total number of Right of Access resolutions is now 12 (including a civil monetary penalty), edging out last year’s total of 11. Consistent with all my earlier blog posts on this subject, Right of Access enforcement is here to stay and requires the attention of healthcare providers.
The first settlement involved an Ohio based medical center that provides management and treatment of chronic pain services. Like most enforcement actions, a patient complaint triggered an investigation. The patient submitted an in person written request seeking access to his records on November 25, 2019. Although it timely acknowledged receipt of the request, the medical center did not send the records until March 19, 2020. The medical center agreed to pay $32,150 to settle claims that it violated the right of access provision under HIPAA.
The second action involved an ophthalmological service provider in Denver, CO. In June 2019, a patient complained that she requested a copy of her medical records in December 2018 and never received them. After receiving a notification from the OCR, the provider admitted to being aware of the request and was late in responding. An investigation revealed that the provider: 1) failed to timely respond to the request; and 2) did not have sufficient written policies and procedures related to providing timely access to protected health information about the individual. The provider agreed to pay $30,000 to settle the claim.
Unlike the other enforcement action resolutions, the third involved an imposition of civil money penalty of $100,000 against a cardiovascular disease and internal medicine doctor in New York. On November 9, 2017, a former patient of provider filed a complaint alleging that he made numerous requests for his medical records in 2013 to 2014. The provider failed to respond to these requests. OCR closed the complaint but counseled the provider to respond to the records request. The patient complained again on March 20, 2018. OCR asserts that it attempted to resolve the matter by informal means, but the provider failed to cooperate resulting in a civil monetary penalty of $100,000.
As noted above, this is the first Right of Access claim that was not resolved through settlement. This is notable because it illustrates OCR’s willingness to use its authority to assess sizable penalties for violations.
A licensed provider of residential eating disorder treatment services in Eugene, OR was the focus of the fourth enforcement action. A patient complained multiple times that the provider failed to provide timely access to records she requested in October and November 2019. The provider sent the records on May 22, 2020. As a result, the provider agreed to pay $160,000 to settle the matter.
In the last of the five enforcement actions, a patient complained that a North Carolina based medical center that provides primary care and other health care services failed to provide her with a copy of her medical records despite making an in-person request and paying $25 for the records. Apparently, the provider charges a flat fee of $25 for a copy of patient records (which is improper under HIPAA). The provider agreed to pay $10,000 to settle the claim.
As I have said many times, the Right of Access is low hanging fruit for enforcement. But fortunately, it is also easy to comply with the Right of Access rules. OCR is prioritizing patient complaints. If providers want to avoid OCR investigations that will result in an examination of issues other than Right of Access, be sure that patient records requests are handled properly. Tips on Right of Access compliance can be found here.
For those of you keeping score, so far this year, OCR announced 14 enforcement action resolutions totaling $5,982,150 in settlement or penalty amounts. Twelve of those relate to Right of Access enforcement and total $857,150 in settlement or penalty amounts, which far exceeds the Right of Access total in 2020 of $537,500.