Private Practitioner Issued $15,000 Penalty over HIPAA Right of Access Failure

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued its 11th financial penalty in association with its HIPAA Right of Access enforcement effort to Dr. Rajendra Bhayani. Dr. Bhayani who is a private practitioner in Regal Park, NY with a specialty in otolaryngology consented to pay a $15,000 financial fine to resolve the case and implement a corrective action plan to correct areas of non-compliance identified by OCR at the time of the investigation.

OCR investigated the doctor after receiving a patient complaint in September 2018 claiming that Dr. Bhayani was unable to give her a copy of the requested health records. The patient requested from the otolaryngologist last July 2018, however she did not receive a copy of medical records two months after.

OCR made contact with Dr. Bhayani and offered technical support regarding the HIPAA Right of Access and shelved the patient complaint; then again, OCR got a second complaint from the previous patient in July 2019, which is one year later, saying that she hasn’t gotten her health records. OCR intervened once again and eventually, the patient received her medical records in September 2020, after 26 months of submitting the first request. Under HIPAA, medical providers ought to deliver requested health records within 30 days of getting a request.

OCR saw Dr. Bhayani’s inability to produce the medical records as a breach of the HIPAA Right of Access (45 C.F.R. § 164.524) requirements. He additionally failed to answer the letters given by OCR on August 2, 2019 and October 22, 2019 inquiring about information. Not cooperating with OCR’s inquiry of a complaint was a breach of 45 C.F.R. §160.310(b). OCR made a decision to issue a penalty for the violations. Dr. Bhayani consented to resolve the case without admitting liability.

Physician’s offices, whether big or small, need to deliver requested health records to patients promptly. OCR Director Roger Severino stated that it will keep on putting first the HIPAA Right of Access cases for enforcement until healthcare companies get the message.

Dr. Bhayani likewise ought to follow a corrective action plan. Policies and procedures ought to be re-evaluated to give people access to their PHI in accordance with 45 C.F.R. § 164.524. The policies ought to specify the techniques employed to estimate an acceptable, cost-based charge for giving access. Those guidelines should be sent to OCR for critique, and any adjustments asked for by OCR ought to be enforced in 30 days. Dr. Bhayani likewise should give privacy training to workers concerning protected health information (PHI) access. The training resources ought to be sent to OCR also for assessment and approval.

Every three months, Dr. Bhayani is instructed to give OCR a listing of all access requests, which include the fees charged for providing the requests, in conjunction with information of any requests that were rejected. OCR must obtain reports of any cases of personnel not submitting to access requests.

OCR is going to keep an eye on Dr. Bhayani for two years since the start of the resolution agreement to make certain of continuing compliance with the HIPAA Right of Access.