Florida Primary Care Service Provider Pays $20,000 Penalty for HIPAA Right of Access Violation

The primary care service provider, Health Specialists of Central Florida Inc. (HSCF), based in Orlando, FL paid the HHS’ Office for Civil Rights a $20,000 financial penalty to resolve a HIPAA Right of Access violation.

On November 22, 2019, OCR started an investigation after receiving a complaint from a lady who was not furnished with a copy of her departed father’s health records. The preliminary written request was submitted on August 29, 2019. She provided HSCF with an Authorization for Release of Medical Record Information form together with a photocopy of the original Letters of Administration. After several requests and about 5 months, HSCF provided all of the needed health records. The entire set of information was obtained by the lady on January 27, 2020.

As per the HIPAA Right of Access, healthcare companies must provide a copy of the requested health records within 30 days of getting the request. In particular instances, there may be a 30-day extension. OCR established that the late provision of the requested documents violated the HIPAA Right of Access. Besides having to pay a $20,000 financial penalty, HSCF decided to carry out the following corrective action plan:

creating, implementing, and sustaining HIPAA Privacy Rule guidelines and procedures regarding the HIPAA Right of Access
disseminating those guidelines and procedures to employees
giving training about those guidelines and procedures.

HSCF is going to be supervised by OCR for a two-year period starting on the day of the negotiation.

A person’s right to access their health data is one of the foundations of HIPAA, and it is taken seriously by OCR. OCR will keep on ensuring that health plans and health care providers are serious to adhere to the regulation. The report of the HHA echoes the value of accessing data and that covered entities are doing something to enforce the procedures and employees are training to make sure that they are carrying out almost all they can to assist patients’ access.

OCR started the HIPAA Right of Access enforcement in the fall of 2019. After that, healthcare providers already paid $2,423,650 to settle HIPAA Right of Access violations within 42 enforcement activities. The fines vary from $3,500 up to $240,000.