OCR Settles with Psychiatric Provider for HIPAA Right of Access Violation

The Department of Health and Human Services Office for Civil Rights announced it reached a $25,000 settlement with California-based Riverside Psychiatric Medical Group to resolve a potential HIPAA Right of Access violation.  

The resolution marks the tenth of the OCR HIPAA Right of Access Initiative, which was launched in 2019 and designed to ensure providers are in compliance with the rule. The settlement is the seventh announced in 2020 -- including Dignity Health, NY Spine Medicine, and five other providers.

“When patients request copies of their health records, they must be given a timely response, not a run-around,” said OCR Director Roger Severino, in a statement.

Under HIPAA, “covered entities [must]provide individuals, upon request, with access to the protected health information (PHI) about them in one or more ‘designated record sets’ maintained by or for the covered entity."

“This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice,” according to HHS.  

“Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.),” HHS continued.

Despite the rule, many providers struggle to maintain compliance. Ciitizen research recently found a significant in the number of covered entities complying with the rule, with just 27 percent of studied providers needing assistance to provide patients access to their records. 

For Riverside Psychiatric, the resolution stems from a patient complaint made to OCR in March 2019. The patient alleged the specialist failed to provide her with a copy of her medical records, despite multiple requests. 

Upon receiving the complaint, OCR provided Riverside Psychiatric with technical assistance on how to comply with the access requirements and closed the case. However, the patient filed a second complaint with OCR that alleged the provider had not yet produced the medical records. 

OCR launched an investigation and found Riverside Psychiatric’s failure to respond to the patient’s request was a potential violation of the HIPAA right of access standard. 

“RPMG claimed that because the requested records included psychotherapy notes, they did not have to comply with the access request,” according to HHS. 

“While the HIPAA Rules do not require production of psychotherapy notes, they do require covered entities to provide requestors a written explanation when it denies any records request in whole or in part, which RPMG did not do, and to provide the individual access to his or her medical records other than psychotherapy notes (and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding),” HHS added. 

In response to the OCR investigation, Riverside Psychiatric sent the patient all requested medical information, excluding psychotherapy notes, in October 2020. 

In addition to the $25,000 settlement, Riverside Psychiatric also agreed to enter into a corrective action plan, which includes two years of monitoring. Under the CAP, the provider is required to revise its PHI right of access policies and procedures to reflect satisfactory compliance with HIPAA.

The policies and procedures must be distributed to all workforce members and relevant business associates with signed compliance certifications.