OCR Takes Continued Aim at Ensuring Patients’ Access to Data
The Office for Civil Rights (OCR) recently announced the resolution of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of enforcement actions to thirty-eight since the initiative began in 2019.
The generally requires HIPAA covered entities to provide individuals timely access to their protected health information (PHI) upon request. Without an extension, once a covered entity receives a request for PHI, it has 30 days to provide the individual or their representative with the requested records. In each of the eleven cases, health care providers violated HIPAA by failing to grant patients or their representative timely access to requested medical records.
- An Illinois-based podiatry practice failed to provide a former patient with requested medical records and after numerous ignored requests from OCR, it was required to pay a $100,000 civil monetary penalty.
- A New York ophthalmology practice agreed to take corrective actions and pay $22,500 to settle a potential violation of the right of access standard after providing a patient with their requested records only 3 days after OCR initiated its investigation into the patient’s complaint.
- A Baltimore dental practice agreed to take corrective actions and paid $5,000 for a potential violation of HIPAA in failing to timely provide a patient access to their medical record.
- A Florida ENT paid $20,000 and agreed to corrective actions for a potential violation of HIPAA when it failed to provide timely access to medical records after multiple requests.
- A Massachusetts psychiatric practice that failed to respond timely to a patient’s access request, and withheld a patient’s records on the basis that the patient had an outstanding balance, agreed to take corrective actions and paid $3,500 to settle the potential violation of the HIPAA Privacy Rule’s right of access standard.
- A Buffalo medical center agreed to take corrective actions and paid $50,000 to settle a potential violation of the HIPAA for failing to timely provide an individual with a complete copy of his medical records.
- A Nebraskan family medical practice paid $30,000 and agreed to corrective actions to settle a potential violation for failing to provide timely access to medical records.
- A Massachusetts nursing and rehabilitation center agreed to corrective actions and paid $55,000 to settle a HIPAA violation for failing to provide an individual’s personal representative with timely access to her son’s medical records.
- A Massachusetts provider agreed to take corrective actions and paid $55,000 to settle a HIPAA violation because it did not provide a personal representative with timely access to medical records on the mistaken basis that a durable power of attorney in this instance did not allow for the provision of such medical records.
- A not-for-profit health system in Texas agreed to corrective actions and paid $240,000 to settle a potential HIPAA violation because it failed to respond timely to a complainant’s access request.
- A surgical group practice with nine locations in Texas agreed to corrective actions and paid $65,000 to settle a potential violation when it failed to provide an individual timely access to their health information.
“It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino in a statement. “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”
From OCR’s Right of Access Initiative to information blocking prohibitions, there is a clear trend to enhance patients’ access to their data in a timely and uncomplicated manner. Covered entities and their business associates should take notice of OCR’s aggressive enforcement activities and ensure that they implement appropriate policies and procedures to avoid costly penalties and tedious corrective action plans. In addition, employees handling patient requests must be effectively trained as to the requirements for responding to medical record requests.
Contact Frier Levitt for a review of your current HIPAA policies or for assistance with developing compliant procedures for your practice or facility.