Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
On September 15, 2020, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had settled with five healthcare organizations that violated the HIPAA Right of Access provision. Each organization was subject to HIPAA violation fines and required to implement corrective action plans (CAPs).
What is the HIPAA Right of Access?
The HIPAA Right of Access dictates that patients, or their designated personal representative, have the right to request a copy of their medical records. Under this provision, healthcare providers must provide timely access to medical records, stating that requested records must be provided within 30 days of the request. Learn more about HIPAA Right of Access information provided by Telehealth.org.
Beth Israel Lahey Health Behavioral Services
Beth Israel Lahey Health Behavioral Services (BILHBS), the largest provider of substance abuse and mental health services in eastern Massachusetts, was issued a $70,000 HIPAA violation fines for failure to provide timely access to medical records requested by a patient’s personal representative. They are also subject to one year of monitoring by OCR and must implement a CAP.
In February 2019, the personal representative requested access to her father’s medical records, but two months later she still had not received the records. She issued a complaint with OCR, and after an investigation, BILHBS finally gave her access to the records in October 2019.
King MD, a small psychiatric services provider based in Virginia, was issued $3,500 HIPAA violation fine for failure to provide timely access to medical records. They are also subject to two years of monitoring by OCR and must implement a CAP.
In October 2018, a patient issued a complaint to the OCR after her request to receive a copy of her medical records had not been met. OCR contacted King MD to provide them technical assistance on how to meet the request. In February 2019, the patient issued another complaint that she had still not received her medical records. She finally received her records in July 2020.
Wise Psychiatry, PC
Wise Psychiatry, PC, a small psychiatric services provider based in Colorado, was issued a $10,000 HIPAA violation fine for failing to provide a personal representative with access to his minor son’s medical records. They are also subject to one year of monitoring by OCR and must implement a CAP.
In November 2017, the personal representative requested his son’s medical records but still had not received them in February 2018. After issuing a complaint to OCR, OCR provided technical assistance to Wise. However, in October 2018, the representative filed a second complaint since he still had not received his son’s medical records. After an OCR investigation, he finally received the records in May 2019.
All Inclusive Medical Services, Inc.
All Inclusive Medical Services, Inc. (AIMS), a multi-specialty family medicine clinic based in California, was issued a $15,000 HIPAA violation fine for refusing to give the patient access to her medical records. They are also subject to two years of monitoring by OCR and must implement a CAP.
In January 2018, a patient requested a copy of her medical records, but her request was denied. In April 2018, the patient issued a complaint with OCR, and OCR began its investigation into AIMS. The patient finally received her records in August 2020 after it was found that AIMS violated the HIPAA Right of Access provision.
Housing Works, Inc.
Housing Works, Inc., a non-profit healthcare organization based in New York City, was issued a $38,000 HIPAA violation fine for failing to provide a patient with his records. They are also subject to one year of monitoring by OCR and must implement a CAP.
In June 2019, a patient requested a copy of his medical records. In July 2019, he issued a complaint with OCR when he had not received the records. OCR conducted an investigation and provided Housing Works with technical assistance. However, in August 2019, the patient filed a second complaint when he still had not received his records. He finally received his records in November 2019.
Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!