OCR Announces Resolutions to Eleven HIPAA Violations 

HIPAA

The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) announced the resolution of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to thirty-eight since the initiative began. OCR created this initiative to support individuals’ right to timely access of their health records at a reasonable cost under the HIPAA Privacy Rule. 

OCR has taken the following enforcement actions and ensured that complainants received copies of their records: 

  • An Illinois podiatry practice failed to provide a former patient with his requested medical records. In response to an initial complaint, OCR provided the practice with written technical assistance regarding the Privacy Rule’s right of access standard and closed the matter. OCR received a second complaint from the same individual, alleging that the practice still had not provided the medical records, after numerous requests. They did not respond to multiple data requests from OCR, nor to OCR’s Letter of Opportunity and Notice of Proposed Determination. OCR issued a Notice of Final Determination and imposed a civil money penalty of $100,000. 
  • An eye care specialist company in New York failed to provide a patient with a copy of her medical records until three days after OCR initiated its investigation, and nearly five months after the complainant’s first written request. They agreed to take corrective actions and paid $22,500 to settle a potential violation of the HIPAA Privacy Rule right of access standard. 
  • A dental practice in Baltimore, Maryland, failed to provide timely access to a patient’s medical record. They have agreed to take corrective actions and have paid $5,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • A Florida ENT group failed to provide timely access to medical records after multiple requests for such records from a patient. They have agreed to take corrective actions and have paid $20,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • Psychiatric consultants located in Massachusetts failed to respond timely to a complainant’s access request. They also withheld the complainant’s access on the basis that the complainant had an outstanding balance and required a signed request or authorization request. They have agreed to take corrective actions and have paid $3,500 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • A public benefit corporation that operates a hospital located in Buffalo, New York, failed to timely provide an individual with a complete copy of his medical records. They agreed to take corrective actions and have paid $50,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • A Nebraska family health center failed to provide timely access to medical records. They agreed to take corrective actions and have paid $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • A Massachusetts nursing home failed to provide an individual’s personal representative with timely access to her son’s medical records. They agreed to take corrective actions and have paid $55,000 to settle a violation of the HIPAA Privacy Rule’s right of access standard. 
  • A healthcare provider in Massachusetts did not provide a personal representative with timely access to medical records on the mistaken basis that the durable power of attorney in this instance did not allow for the provision of such medical records. They have agreed to take corrective actions and have paid $55,000 to settle a violation of the HIPAA Privacy Rule’s right of access standard. 
  • A not-for-profit health system in Southeast Texas consisting of 17 hospitals failed to respond timely to a complainant’s access request. They agreed to corrective actions and have paid $240,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • A surgical group practice with nine locations in the Greater Houston, Texas, area failed to provide an individual timely access to their health information. They have agreed to corrective actions and have paid $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 

Issue: 

HIPAA gives individuals the right to see and obtain copies of their health information from their healthcare providers and health plans. After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner. The Centers for Medicare & Medicaid Services (CMS) in F-Tag 573 states the following regarding nursing home requirements: “The facility must provide the resident with access to personal and medical records pertaining to him or herself, upon an oral or written request, in the form and format requested by the individual … within 24 hours (excluding weekends and holidays); and the facility must allow the resident to obtain a copy of the records or any portions thereof … upon request and 2 working days advance notice to the facility.” 

Discussion Points: 

  • Review policies and procedures related to HIPAA and CMS record release requirements. Ensure that they address timely access to medical records. 
  • Train all staff on HIPAA and privacy regulations. Ensure that those who receive requests for record release are knowledgeable in the right of access standard established by OCR and the time frame required by CMS to ensure timely response. Document that these trainings occurred and file the signed training document in the employee’s education file. 
  • Periodically audit to ensure that the facility’s policies and procedures for HIPAA are being followed by all staff and that each one demonstrates understanding and competency. Audit to ensure that timely response to record requests occurs per CMS time frames, and report audit results to the QAPI/QAA Committee.