Getty Images

OCR Settles 11 HIPAA Right of Access Cases

OCR announced the resolution of 11 HIPAA Right of Access cases to reinforce patient health record access under the HIPAA Privacy Rule.

The HHS Office for Civil Rights (OCR) announced 11 HIPAA Right of Access resolutions. OCR created the HIPAA Right of Access Initiative in 2019 to support patients' right to timely and cost-effective access to their health records.

"It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records," Lisa J. Pino, OCR's director, said in a press release

"Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples' fundamental right to timely access to their medical records."

Each settlement involved a settlement payment to resolve allegations of HIPAA Privacy Rule violations, and most required the covered entities to undertake standard corrective action plans. None of the settlements equate to an admission of guilt by the impacted parties.  

ACPM PODIATRY

OCR imposed a $100,000 civil money penalty against Illinois-based ACPM Podiatry over its failure to provide a former patient with access to his requested medical records. Former patient Richard Lindsey alleged in an April 2019 complaint to OCR that ACPM had failed to provide him with his medical records.

In response, OCR provided ACPM with written guidance regarding the HIPAA Privacy Rule's right of access standards and informed the practice that it would have to honor the records request within 30 days.

Despite this notice, the initial complainant filed another complaint on May 19, 2019 alleging that he had still not received the records. Lindsey had other interactions with ACPM, including one in which he alleged that ACPM said they would not release the documents until the complainant's insurance company had paid the bill.

The complainant received an incomplete copy of his medical records on July 23, 2020, 618 days after the initial request.

"To date, ACPM has not provided a response to the Letter of Opportunity and therefore has not provided any written evidence of mitigating factors under 45 C.F.R. § 160.408 or affirmative defenses under 45 C.F.R. § 160.410 for OCR's consideration in making a determination of a CMP pursuant to 45 C.F.R. § 160.404," the Notice of Proposed Determination stated

"ACPM also did not submit any written evidence to support a waiver of a CMP for the indicated areas of non-compliance."

ACPM lost the right to appeal the imposition since it failed to request a hearing in a timely manner.

ASSOCIATED RETINA SPECIALISTS

New York-based Associated Retina Specialists paid $22,500 to settle a potential HIPAA Privacy Rule violation. According to the resolution agreement, a complainant told OCR on February 18, 2021 that Associated Retina Specialists had not provided her a copy of her requested medical records.

Associated Retina Specialists provided the complainant with a copy of her records three days after OCR initiated its investigation in March 2021, and five months after the complainant's initial request.

The practice agreed to pay a civil money penalty and engage in a corrective action plan that requires it to review and revise its policies and procedures relating to patient access to protected health information (PHI).

LAWRENCE BELL, JR., DDS, PA

The Baltimore, Maryland-based dental practice of Lawrence Bell, Jr., DDS, PA paid $5,000 to settle a potential right of access standard violation and agreed to engage in a corrective action plan. OCR received a complaint in October 2019 that alleged that Lawrence Bell, Jr., DDS, PA failed to provide a client with access to his PHI in July 2019.

The corrective action plan required the practice to provide the patient with access to his requested records within 15 days of the effective date. The practice also had to review and revise its policies to align with HIPAA Privacy Rule compliance standards.

Lawrence Bell, Jr., DDS, PA is also required to distribute its revised policies to workforce members and business associates within 30 days of HHS approval, among other corrective measures.

COASTAL EAR, NOSE, AND THROAT

Ormond Beach, Florida-based Coastal Ear, Nose, and Throat (ENT) paid $20,000 to settle potential HIPAA violations after failing to provide timely access to medical records to a patient.

According to the resolution agreement, a patient filed multiple complaints with OCR in January and April 2021 after requesting records from Coastal ENT in December 2020 and January 2021. Coastal ENT did not respond to the complainant's requests until May 20, 2021.

Coastal ENT agreed to a corrective action plan, which requires it to update its policies and procedures, train employees on right of access standards, and submit implementation and annual reports to HHS.

FALLBROOK FAMILY HEALTH CENTER

Nebraska-based Fallbrook Family Health Center (FFHC) paid $30,000 to OCR and agreed to a corrective action plan. Despite requesting a copy of her PHI on three separate occasions, the complainant did not receive her designated record set from FFHC.

FFHC said that it failed to provide the patient with access to her records due to an employee's misunderstanding of the HIPAA right of access standards.

The complainant received a copy of her records on June 19, 2020. FFHC paid a civil money penalty and agreed to revise its policies.

DANBURY PSYCHIATRIC CONSULTANTS

Massachusetts-based Danbury Psychiatric Consultants (DPC) agreed to take corrective actions and paid $3,500 to settle potential HIPAA violations.

OCR's investigation revealed that after a patient requested medical records on March 27, 2020, DPC withheld the information on the basis that the complainant had an outstanding balance and required an authorization request.

DPC did not provide the patient with access to their PHI until September 2020, after OCR had begun its investigation. Like other corrective action plans, DPC agreed to review its policies, submit annual reports, and provide employee training to its workforce.

ERIE COUNTY MEDICAL CENTER CORPORATION

Erie County Medical Center Corporation (ECMCC), a public benefit corporation that operates Erie County Medical Center (ECMC) in Buffalo, New York, paid a $50,000 settlement and agreed to take corrective actions following a potential HIPAA violation.

In December 2019, a complainant told OCR that ECMCC failed to provide her husband with a complete copy of his medical records. OCR's investigation determined that ECMCC failed to provide the records in a timely manner. ECMCC did provide the complainant's husband with a complete copy during the investigation.

In addition to paying $50,000, ECMCC must provide privacy training to employees, review policies and procedures, submit annual reports, and provide a detailed list of all PHI requests to HHS every 90 days until the corrective action plan term ends.

MELROSEWAKEFIELD HEALTHCARE

MelroseWakefield Healthcare (MWH) in Massachusetts agreed to a civil monetary settlement of $54,500 and a corrective action plan to settle potential HIPAA violations.

"MelroseWakefield Healthcare (MWH), a provider in Massachusetts, did not provide a personal representative with timely access to her mother's records on the mistaken basis that the durable power of attorney in this instance did not allow for the provision of such medical records," HHS OCR stated.

The complainant made a valid PHI request for her mother's records on June 12, 2020 and MWH denied the request. After learning of OCR's investigation, MWH reviewed the power of attorney documentation again and determined that the complainant's request was valid. MWH provided the complainant with her mother's records in October 2020.

MWH agreed to take on a standard corrective action plan that requires it to revise its policies and submit annual reports.

MEMORIAL HERMANN HEALTH SYSTEM

The nonprofit Memorial Hermann Health System (MHHS) in Southeast Texas paid $240,000 to settle a potential HIPAA violation. The health system consists of 17 hospitals, including Memorial Hermann Katy Hospital.

OCR received a request in August 2020 from a patient who alleged that MHHS had failed to provide a patient with a copy of her complete medical and billing records after five requests.

OCR's investigation revealed that MHHS failed to deliver on the patient's July 2019 request for an itemized billing statement until March 26, 2021.

MHHS agreed to a corrective action plan consisting of revised policy requirements and annual reports.  

SOUTHWEST SURGICAL ASSOCIATES

Houston, Texas-based Southwest Surgical Associates (SWSA) agreed to corrective actions and a payment of $65,000 to settle potential HIPAA Privacy Rule violations.

OCR received a complaint on December 12, 2020, alleging that SWSA failed to provide a patient with access to her PHI. In February 2021, HHS notified SWSA of its investigation and later determined that SWSA failed to provide the complainant with timely access to her PHI.

SWSA paid OCR and agreed to update its policies and procedures.

Next Steps

Dig Deeper on HIPAA compliance and regulation