The Office for Civil Rights (OCR) announced yesterday that it has settled five investigations in its HIPAA Rights to Access Initiative (Initiative), which it announced would be an enforcement priority for it starting in 2019. The Initiative is “to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.”
The addition of the five recent settlements brings the total to seven for OCR’s enforcement of the Initiative. The OCR’s press release states that the recent settlement involve five entities: Housing Works, Inc., All Inclusive Medical Services, Inc., Beth Israel Lahey Health Behavioral Sciences and King MD.
Housing Works has agreed to pay the OCR $38,000 and to adopt a corrective action plan as a result of a complaint by an individual that it failed to provide him with a copy of his medical records. OCR provided technical assistance to Housing Works and closed the complaint. A month later, the individual complained to the OCR that Housing Works had still not provided the records to him. OCR started an investigation and determined that a violation had occurred. The individual received his records three months later.
All Inclusive Medical Services, Inc. (AIMS) settled the potential violations of HIPAA with a payment of $15,000 to OCR and to adopt a corrective action plan. In that case, OCR received a complaint from an individual that AIMS refused to give her a copy of her records. As a result of the OCR’s investigation, AIMS sent the individual her medical records two years after the initial complaint.
Beth Israel Lahey Health Behavioral Service (BILHBS) has settled allegations of failing to provide access to records by paying $70,000 to the OCR and adopting a corrective action plan. The allegations against BILHBS is that a personal representative of a patient requested the medical records of her father, and BILHBS failed to provide the requested medical records, which OCR indicated was a potential violation of the HIPAA right of access standard. Following the OCR’s investigation, the records were sent to the personal representative eight months after they were requested.
King MD, a small provider of psychiatric services, has agreed to pay the OCR $3,500 and to adopt a corrective action plan. OCR received a complaint that King MD failed to respond to a request for access to medical records in August of 2018. OCR provided technical assistance to King MD, but the individual complained in February of 2019 that she still had not been provided with her medical records. OCR started an investigation and determined that the failure to provide access to the records was a potential violation of the HIPAA right of access standard. The patient received her medical records in July 2020.
Finally, Wise Psychiatry, PC, a small provider that provides psychiatric services, has agreed to pay the OCR $10,000 and to adopt a corrective action plan. The OCR received a complaint that Wise failed to provide a personal representative with access to his son’s medical records. The OCR provided technical assistance and closed its investigation. Unfortunately, OCR received a second complaint from the individual that he had not received the records, so OCR initiated an investigation and the OCR found that the “failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, Wise Psychiatry sent the personal representative his son’s medical records in May 2019.”
Messages from these settlements—
- Comply with the HIPAA right of access requirements
- If the OCR provides technical assistance, listen, follow and comply with the HIPAA right of access requirements
- If the right of access requirement is not followed after the OCR provides technical assistance, and the patient complains to the OCR again, it is not likely to close the complaint again and there is a high risk of having an investigation opened and an eventual monetary settlement with the OCR.
The OCR publicly stated on multiple occasions that it would focus on enforcement of the right of access requirements starting in 2019, so covered entities may wish to review processes in place around patients’ access to records as review of compliance is timely in light of these recent settlements.
This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.