Elite Primary Care Pays OCR $36K for HIPAA Right of Access Violation

OCR announced a $36,000 settlement and corrective action plan with Elite Primary Care to resolve a HIPAA right of access failure; the thirteenth enforcement action made under the HHS initiative.

Elite Primary Care in Georgia has agreed to a $36,000 settlement with the Office for Civil Rights to resolve a potential violation of the HIPAA Privacy Rule's right of access standard.

Launched in 2019, the Department of Health and Human Services OCR Right of Access Initiative is designed to improve patients' access to their medical records on a timely basis and for a reasonable fee.

Under HIPAA, covered entities are required to provide patients or their personal representatives with access to their medical records upon request "in one or more 'designated record sets' maintained by or for the covered entity."

"This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice," according to HHS.

"Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated," HHS added.

The latest settlement stems from a record access complaint filed with OCR on April 22, 2019, alleging Elite failed to provide a patient with access to his medical records. In response, OCR provided the covered entity with technical assistance around the HIPAA standard.

OCR also advised Elite to review the rule and facts around the request, stating that the provider should swiftly give the patient access to their records if the request met the HIPAA requirements. The patient submitted another records request in writing to Elite in June 2019.

However, by October 9, 2019, the patient still had not received the requested records and filed a second request with OCR. Elite sent the records to the patient’s new healthcare provider on November 21, 2019 and to the patient on May 8, 2020.

OCR found that Elite failed to provide the patient with timely access to the patient’s access request. As such, the provider agreed to pay HHS the civil monetary penalty and to enter into a corrective action plan, which includes two years of monitoring.

"OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records,” said OCR Director Roger Severino, in a statement. 

“Healthcare providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee," he added.

Under the CAP, Elite is required to develop, maintain, and revise, as necessary, written policies and procedures for complying with the HIPAA standards around the privacy of individually identifiable health information.

At a minimum, these measures must include a review and update of the designated record set policy within its Right of Access to protected health information to ensure effective and comprehensive responses to access requests.

The policies must also include training protocols for all workforce members involved in receiving or fulfilling records requests, as well as application of appropriate sanctions for members who fail to comply with Elite’s policies and procedures.

Lastly, Elite is required to review and update, as necessary, its designated record set policy to “ensure the provision of a standard method for requesting access for personal representatives versus individuals with whom the Covered Entity is authorized to share PHI.”

Those policies must be distributed to the entire workforce, and Elite must then provide the appropriate employees with training.

The enforcement penalty with Elite Primary Care is the thirteenth settlement made under the initiative and the fourth announced in the last two months, which includes the Riverside Psychiatric Medical Group and the University of Cincinnati Medical Center.

A recently released OCR audit found 89 percent of providers failed to comply with the requirements of the HIPAA right of access standards. On December 10, HHS proposed changes to the privacy rule that are designed to improve patients' right of access.

Next Steps

Dig Deeper on HIPAA compliance and regulation