Getty Images

OCR Settles With NJ Specialist for Over HIPAA Right of Access Failure

New Jersey-based specialist Village Plastic Surgery has agreed to pay OCR $30,000 to resolve a potential violation of the HIPAA Privacy Rule’s right of access standard.

The Department of Health and Human Services Office for Civil Rights announced it reached a settlement with Village Plastic Surgery (VPS) to resolve potential violations of the HIPAA right of access standard.

The New Jersey-based specialist will pay a $30,000 civil monetary penalty and agreed to enter into a corrective action plan with OCR.

OCR has made patient rights around timely access to their health records a key compliance priority for the last two years, under its Right of Access Initiative. The VPS penalty is the second enforcement action in the last week and the eighteenth reported under the initiative since its launch in 2019.

The VPS settlement stems from a patient complaint filed with OCR on September 7, 2019, which alleged VPS failed to provide the patient with a copy of their medical records.

OCR launched an investigation into the incident and found the specialist had indeed failed to provide the patient with timely access to their requested records, a potential violation of the HIPAA right of access standard.

Under the rule, providers and relevant business associates are required to take action on patient access requests within 30 days of the initial request, or within 60 days with an applicable extension.

As a direct result of the OCR investigation, the patient received their medical records from VPS.

“OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner," said Acting OCR Director Robinsue Frohboese, in a statement.

“Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not,” she continued.

As part of the settlement, VPS has also entered into a corrective action plan that includes two years of monitoring by OCR. Within 30 days,VPS must review and revise, where necessary, its policies and procedures for access requests for patient protected health information.

The revisions must include identifying VPS’s methods for calculating a reasonable cost-based fee for access to PHI, such as the labor for copying PHI, paper or electronic formatting, needed supplies for portable media requests, postage fees for mailing requests, and preparation of the PHI explanation or summary, if requested.

VPS must submit the policy revisions to HHS for review and distribute the approved policies to the applicable workforce. All employees that interact with patient access requests must then receive training on the Privacy Rule requirements.

As OCR continues its steady enforcement of the right of access standard, all providers and relevant business associates should review the HIPAA requirements to ensure compliance. HIPAA requires covered entities to provide individuals with access to their PHI in a designated record set, upon request.

The access rights apply “for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated.”

“This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice,” according to HHS. 

The designated record set is a group of records maintained by or for a covered entity, including medical and billing records; enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or other records used by the covered entity to make any decision about the patient.

The HHS factsheet contains the few exceptions, insights into the form and format, and requests for personable representatives that could support covered entities in reviewing their current records request policies.

Next Steps

Dig Deeper on HIPAA compliance and regulation