HHS’ Office for Civil Rights Issues 5 Financial Penalties for HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) is carrying on with its implementation of the HIPAA Right of Access compliance and has lately published another 5 financial penalties. The HIPAA Right of Access enforcement effort was introduced in the autumn of 2019 as a resolution to a substantial number of reports from patients who didn’t obtain quick access to their health files.

The HIPAA Privacy Rule demands covered entities to give people access to their health care files. A copy of the medical records must be given in 30 days after the request is submitted, but a 30-days extension can be given in some instances. HIPAA-covered entities are authorized to bill patients for the copy of medical data, however, they may just demand a fair, cost-based rate. Labor costs are simply allowed for duplicating or otherwise producing and sending the PHI right after it has been identified.

The enforcement steps thus far were not enforced for billing excessive sums, just for impermissibly declining to give a copy of the required documents or for unnecessary slowdowns. In a number of cases, patients needed to wait several months before they received a copy of their data.

Based on the most current announcement of OCR, there are up to 25 HIPAA Right of Access enforcement actions released with the 2019 enforcement project.

In the 5 new cases listed, OCR confirmed the healthcare companies violated 45 C.F.R. § 164.524 and did not provide prompt access to protected health information (PHI) regarding the person after getting a request.

Advanced Spine & Pain Management, a healthcare company providing chronic pain-connected medical services in Cincinnati and Springboro, OH, decided to resolve OCR’s investigation and paid for the financial fine. OCR is going to keep track of the provider’s compliance with its corrective action plan for two years. The investigation was prompted by a complaint by a patient who asked for his medical documents on November 25, 2019, however failed to acquire the records up to March 19, 2020.

Denver Retina Center located in Denver, CO, a provider of ophthalmological services, settled its case with OCR and made payment for a $30,000 financial penalty. It will be monitored for compliance with its corrective action plan for 12 months. A patient stated she had requested her medical documents in December 2018 but did not get a copy of her data until July 26, 2019. OCR had provided technical support to the healthcare organization following getting an earlier HIPAA Right of Access complaint from the same patient and closed the case. When proof was obtained concerning continued failure to comply the case was re-opened. OCR established that besides the delay, Denver Retina Center had access policies and protocols that did not comply with the HIPAA Privacy Rule, as demanded by 45 C.F.R. § 164.530(i).

Rainrock Treatment Center LLC (dba Monte Nido Rainrock) based in Eugene, OR, a residential eating disorder treatment services provider, resolved OCR’s investigation and paid a $160,000 financial penalty and is going to be supervised if complying with the corrective action plan for a year. OCR received three patient complaints about not receiving the requested copy of her health information. The patient asked for a copy of her documents on October 1, 2019, and November 21, 2019, and didn’t get the requested information until May 22, 2020.

Wake Health Medical Group located in Raleigh, NC, primary care and other health care services provider, resolved OCR’s investigation and made a payment of $10,000 as a financial fine and will implement corrective action to avoid other HIPAA Right of Access violations. OCR got a patient complaint after the patient asked for a copy of her medical information on June 27, 2019 and paid a flat fee of $25, which is the normal cost charged by Wake Health Medical Group for giving copies of health documents. By the date of the settlement, the patient still did not receive the requested information.

Cardiovascular disease and internal medicine doctor Dr. Robert Glaser from New Hyde Park, NY didn’t cooperate with OCR at the time of the investigation, though didn’t argue the results and waived his right to a hearing. OCR imposed a civil monetary penalty of $100,000. An investigation was launched right after getting a complaint from a former patient who stated he had submitted several written and verbal requests for a copy of his medical documents between 2013 and 2014. The complaint was sent to OCR on November 9, 2017, which was closed by OCR on December 15, 2017, subsequent to telling Dr. Glaser to check the complaint and deliver the asked for documents if the requests were consistent with the HIPAA Right of Access. The patient submitted a further complaint to OCR on March 20, 2018, and furnished evidence of more written requests. OCR tried to get in touch with Dr. Glaser on a number of occasions by letter and phone, nevertheless, he repeatedly did not respond, therefore the decision to issue a civil monetary penalty.