Yet More HIPAA Right of Access Fines Imposed: 11 Providers Named & Censored

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

HERE IS HOW

The fines just keep coming. Providers seem to be having difficulty learning that healthcare records cannot be withheld from clients and patients in most cases. On Friday, July 15, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its 18th round of sanctions for HIPAA Right of Access violations. In each case, to settle a potential violation of HIPAA, the providers agreed to pay OCR fines and enter into corrective action plans.

What is a Violation of HIPAA Right of Access?

The HHS created standards for patients’ rights to access their medical information, known as the HIPAA right of access standard. Under this standard, healthcare providers have thirty days to comply with patients’ requests for medical records. While providers can request an extension under certain circumstances (i.e., if the patient’s file is in storage), the provider must respond within the thirty-day timeframe to explain why it will take longer to provide the patient with their records.

The HIPAA right of access also limits how much a provider can charge for supplying the records. Furthermore, when reasonable, providers must provide the patient with copies of their medical records in the format they requested (i.e., paper, CD, USB).
Healthcare providers have violated the HIPAA right of access standard and is subject to fines when they:

• Fail to respond to records requests
• Fail to provide patients with their records on time
• Provide patients with incomplete records
• Charge more than a reasonable cost-based fee
• Fail to provide the records in the format requested.

$646,000 of OCR Fines

According to a press release issued by HHS’ OCR, enforcement actions resulted from various reasons. While each healthcare provider was subject to OCR fines for violating the HIPAA right of access, the providers are distributed across the spectrum of services offered, and those chosen for visible enforcement failed to meet different aspects of the standard.

• Danbury Psychiatric Consultants (DPC): failed to respond timely to a patient’s access request. DPC also withheld access because the patient had an outstanding balance and required a signed or authorization request. DPC has agreed to take corrective actions and has paid $3,500 to settle a potential violation of HIPAA.
• ACPM Podiatry: American College of Podiatric Medicine (ACPM) failed to provide a former patient with his requested medical records. After receiving a patient complaint, OCR provided ACPM with written technical assistance and closed the matter. OCR received a second complaint from the same individual, alleging that after numerous requests, they still had not received their records. ACPM did not respond to multiple data requests from OCR nor OCR’s Letter of Opportunity and Notice of Proposed Determination. OCR issued a Notice of Final Determination and imposed a civil money penalty of $100,000.
• Associated Retina Specialists failed to provide a patient with a copy of her medical records until three days after OCR initiated its investigation and nearly five months after the patient’s first written request. Associated Retina has agreed to take corrective actions and paid $22,500 to settle a potential violation of the HIPAA rules and regulations.
• Lawrence Bell, Jr., D.D.S. failed to provide timely access to a patient’s medical record. The dental practice has agreed to take corrective actions and has paid $5,000 to settle.
• Coastal Ear, Nose, and Throat (ENT): failed to provide timely access to medical records after multiple requests for such records from a patient. Coastal ENT has agreed to take corrective actions and has paid $20,000.
• Erie County Medical Center Corporation (ECMC): failed to timely provide an individual with a complete copy of his medical records. ECMC has agreed to take corrective actions and has paid $50,000 to settle a potential violation.
• Fallbrook Family Health Center: failed to provide timely access to medical records. Fallbrook Family Health Center has agreed to take corrective actions and has paid $30,000 to settle a potential violation of HIPAA.
• Hillcrest Nursing and Rehabilitation: failed to provide an individual’s representative with timely access to her son’s medical records. Hillcrest has agreed to take corrective actions and has paid $55,000 to settle.
• MelroseWakefield Healthcare (MWH): did not provide a personal representative with timely access to medical records on the mistaken basis that the durable power of attorney did not alow for access. MWH has agreed to take corrective actions and has paid $55,000 to settle.
• Memorial Hermann Health System: failed to respond timely to a patient’s access request. Memorial Hermann has agreed to corrective actions and has paid $240,000 to settle.
• Southwest Surgical Associates (SWSA): failed to provide individuals timely access to their health information. SWSA has agreed to corrective actions and has paid $65,000 to settle a potential violation of HIPAA.

“It should not take a federal investigation before a HIPAA-covered entity provides patients, or their representatives, with access to their medical records,” said OCR Director Lisa J. Pino. “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”

This Article is Contributed by the HIPAA Compliancy Group

Need assistance with HIPAA compliance? The Compliancy Group can help!

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Read More