Getty Images

NY Specialist Pays OCR $15K for HIPAA Right of Access Failures

Rajendra Bhayani, MD, a New York specialist, is the eleventh provider to settle with OCR under its Right of Access Initiative. The enforcement action will resolve possible HIPAA failures.

The Office for Civil Rights announced it reached a settlement with Rajendra Bhayani, MD, a private practice otolaryngology specialist based in Regal Park, New York for $15,000 and a corrective action plan to resolve allegations of potential HIPAA right of access failures.

The settlement stems from a September 2018 complaint filed with OCR that alleged the provider did not provide the patient with a copy of her medical records, following a request to Bhayani’s practice in July 2018. 

The access failure occurred despite the practice receiving a letter from the agency that asserted they were obligated to provide the patient with her records in October 2018. The patient filed a second complaint with OCR in July 2019 that alleged she still had not received her medical records from the specialist.

OCR launched an investigation into Bhayani’s practice, during which the provider still failed to provide the patient with her medical records.

What’s more, Bhayani did not respond to two correspondences sent from OCR requesting data from the provider in August and October 2019. As a result of the investigation, the patient finally received access to her medical records in September 2020, more than two years after the initial request.

The investigation revealed Bhayani failed to provide timely access to protected health information and failed to cooperate with the OCR complaint audit. As a result, the provider will pay OCR a civil monetary penalty and enter into a corrective action plan, which will include two years of monitoring.

Under the CAP, Bhayani is required to review and revise the policies and procedures for an individual’s right to access protected health information, which must include identifying methods for calculating costs for the labor used to copy PHI requested by the individual, the supplies for creating the patient copy of PHI or electronic media, postage for mailing requests, and preparing an explanation or summary of the requested PHI, if agreed to by the individual.

The practice is also required to provide employees with training materials and education on the individual’s right to access PHI under HIPAA.

“Doctor’s offices, large and small, must provide patients their medical records in a timely fashion, ” said OCR Director Roger Severino, in a statement. “We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.”

The settlement is the eleventh enforcement action taken under the agency’s 2019 Right of Access Initiative and the second announced in the last month. The initiative is designed to empower patients with access to their protected health information in a designated record set, as required by HIPAA.

As previously noted by the Department of Health and Human Services: “Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).”

Despite the HIPAA-requirement, many healthcare covered entities and their business associates struggle with compliance as highlighted in Ciitizen research.

The biggest right of access failures are caused by failing to send records in the form or format requested by the individual, with some providers declining to send information via unsecured email, even when a patient acknowledged and accepted the risk.

Other failures observed by Ciitizen include providers missing the  30-day deadline or failing to send notice to the individual with an explanation for the delay.

At the time, researchers explained that “‘form and format’ is an aspect of the law that can be very important to patients, who often can’t accept a fax or CD or for whom encrypting data could create a barrier, because the encryption can ‘stick’ to the data and the password typically will expire within 30 days (or less).”

“OCR’s guidance emphasizes that patients can choose convenience over security in getting their records, and providers (or their vendors) who ignore this aspect of a patient’s request are placing obstacles in the path of patients exercising their HIPAA Right of Access,” they added.

Next Steps

Dig Deeper on HIPAA compliance and regulation