OCR Issued 11 More Financial Penalties Due to HIPAA Right of Access Violations

The Department of Health and Human Services’ Office for Civil Rights has alerted healthcare companies regarding the importance of complying with the HIPAA Right of Access. It also announced 11 new financial penalties for HIPAA-covered entities for failing to give patients their medical records promptly. With the most recent batch of enforcement actions, there is now 38 financial penalties enforced with the HIPAA Right of Access enforcement initiative.

The HIPAA Right of Access upholds the right of individuals to examine their protected health information (PHI) that is kept by a HIPAA-covered entity, look for information errors, and ask for the correction of any errors. Individuals may likewise ask for a copy of their PHI from healthcare companies and health plans. Upon request of the information, the provider must give the requested copy in full within 30 days. In very restricted instances, a 30-days extension is allowed. Patients or their nominated representatives may submit requests. For minors, their parents and legal guardians may acquire a copy of the minor’s data. Any person asking for a copy of their information can only be billed a fair, cost-based amount for getting a copy of their files. The information must be given in the format asked by the patient, as long as the HIPAA-covered entity is technically capable of giving records in that file format.

OCR started its HIPAA Right of Access enforcement initiative in 2019 due to prevalent non-compliance with this HIPAA right. Health care providers ought to keep in mind that there are currently 38 enforcement actions in the Right of Access Initiative. OCR is serious about upholding the rules and the right of people to prompt access to their health records.

Penalties of the HIPAA Right of Access

The most recent penalties were all enforced for the inability to give prompt access to a person’s health records, and not for billing unreasonable costs for requesting the information. All except one of the cases were resolved with OCR, and the covered entities agreed to implement a corrective action plan to deal with the non-compliance issues and avoid more violations.

The covered entity ACPM Podiatry declined to cooperate with OCR’s demands, thus getting a civil monetary penalty. A former patient requested a copy of his medical records and then notified OCR on April 8, 2019 that ACPM had declined to give those records. OCR extended technical support to ACPM on April 18, 2019 stating that the data must be given under HIPAA. ACPM still did not provide the records so the patient filed a second complaint with OCR one month later.

OCR’s investigation showed the records were withheld because the complainant’s insurance provider did not pay the bill. However, the complainant stated the records were needed so as to plead the unfavorable decision and file that appeal. Although there was communication between OCR and ACPM Podiatry, ACPM did not take action on OCR’s data access requests, the Letter of Opportunity to give proof of mitigating factors, nor OCR’s notice of proposed determination of a financial penalty, therefore imposing a civil monetary penalty.

Three of the enforcement actions were due to the inability of a HIPAA-covered entity to give a patient’s nominated representative a copy of the needed records. Two cases involved the refusal of the provider to give a patient’s medical records because of outstanding medical costs. The right of a patient to get a copy of their health records is not conditional on whether the medical services are paid in full.

The list of financial penalties is as follows:

1. ACPM Podiatry – Civil Monetary Penalty of $100,000 for untimely access to records
2. Memorial Hermann Health System – Settlement of $240,000 for untimely access to records (complete records not given for 564 days from the initial request)
3. Southwest Surgical Associates – Settlement of $65,000 for untimely access – records given after 13 months
4. Hillcrest Nursing and Rehabilitation – Settlement of $55,000 for untimely access – records not given to a personal representative for 7 months
5. MelroseWakefield Healthcare – Settlement of $55,000 for untimely access – not giving the records to the nominated representative of the patient for 4 months
6. Erie County Medical Center Corporation – Settlement of $50,000 for untimely access – not giving the requested records to a nominated representative of the patient
7. Fallbrook Family Health Center – Settlement of $30,000 for untimely access – unspecified delay in giving the requested records
8. Associated Retina Specialists – Settlement of $22,500 for untimely access – inability to give the patient the records for 5 months
9. Coastal Ear, Nose, and Throat – Settlement of $20,000 for untimely access – inability to give the patient the records for 5 months
10. Lawrence Bell, Jr. D.D.S – Settlement of $5,000 for untimely access – inability to give the patient the records for over 3 months
11. Danbury Psychiatric Consultants – Settlement of $3,500 for untimely access – denied the records for 6 months because of the patient’s outstanding medical costs

OCR has already issued 122 financial penalties involving HIPAA-regulated entities to settle HIPAA violations starting in 2008. With the most recent batch of HIPAA penalties, there are now 16 financial penalties in 2022, higher than the financial penalties enforced in 2021 by 2.