OCR Settles Five More HIPAA Patient Right-of-Access Cases
In 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced an initiative to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. Last September OCR announced its first enforcement action and settlement in its Right of Access Initiative. Now it has settled five more investigations.
In September 2019, Bayfront Health St. Petersburg, a Florida-based Level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians, paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (HIPAA) Rules, OCR said Bayfront failed to provide a mother timely access to records about her unborn child.
The five settlements announced this week bring OCR's total to seven completed enforcement actions under the Right of Access Initiative. Following are descriptions of this week’s settlements.
Housing Works Inc.
Housing Works agreed to pay $38,000 to OCR and to adopt a corrective action plan to settle a potential violation of the HIPAA Privacy Rule's right of access provision. Housing Works is a New York City based non-profit organization that provides health care, homeless services, advocacy, job training, reentry services, and legal aid support for people living with and affected by HIV/AIDS.
In July 2019, OCR received a complaint alleging that, in June 2019, Housing Works failed to provide the complainant with a copy of his medical records. OCR provided Housing Works with technical assistance on the HIPAA Right of Access requirements and closed the complaint. In August 2019, OCR received a second complaint alleging that Housing Works still had not provided the complainant with access to his records. OCR initiated an investigation and determined that Housing Work's failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR's investigation, the complainant received his medical records in November 2019.
All Inclusive Medical Services Inc.
All Inclusive Medical Services (AIMS) has agreed to pay $15,000 to OCR and to adopt a corrective action plan to settle a potential violation of the HIPAA Privacy Rule's right of access provision. AIMS, based in Carmichael, Calif., is a multi-specialty family medicine clinic that provides a variety of services including internal medicine, and pain management and rehabilitation. In April 2018, OCR received a complaint alleging that in January 2018, AIMS refused to give a patient access to her medical records when it denied her requests to inspect and receive a copy of her records. OCR initiated an investigation and determined that AIMS's actions were potential violations of the HIPAA right of access standard. As a result of OCR's investigation, AIMS sent the patient her medical records in August 2020.
Beth Israel Lahey Health Behavioral Services
Beth Israel Lahey Health Behavioral Services (BILHBS) has agreed to pay $70,000 to OCR and to adopt a corrective action plan to settle a potential violation of the HIPAA Privacy Rule's right of access provision. BILHBS is the largest network of mental health and substance use disorder services in eastern Massachusetts.
In April 2019, OCR received a complaint alleging that BILHBS failed to respond to a February 2019 request from a personal representative seeking access to her father's medical records. OCR initiated an investigation and determined that BILHBS' failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR's investigation, BILHBS sent the personal representative the requested medical records in October 2019.
King MD
King MD has agreed to pay $3,500 to OCR and to adopt a corrective action plan to settle a potential violation of the HIPAA Privacy Rule's right of access provision. King MD is a small health care provider of psychiatric services in Virginia.
In October 2018, OCR received a complaint alleging that King MD failed to respond to an individual's August 2018 request for access to her medical records. OCR provided King MD with technical assistance on the HIPAA right of access requirements and closed that complaint. In February 2019, OCR received a second complaint alleging that the practice still had not provided the individual with access to her medical records. OCR initiated an investigation and determined that the practice's failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR's investigation, King MD sent the individual her medical records in July 2020.
Wise Psychiatry PC
Wise Psychiatry, PC (Wise Psychiatry) has agreed to pay $10,000 to OCR and to adopt a corrective action plan to settle a potential violation of the HIPAA Privacy Rule's right of access provision. Wise Psychiatry is a small health care provider that provides psychiatric services in Colorado.
In February 2018, OCR received a complaint alleging that Wise Psychiatry failed to provide a personal representative with access to his minor son's medical records. The complainant requested access in November 2017. OCR provided Wise Psychiatry with technical assistance on the HIPAA right of access requirements and closed that complaint in April 2018. In October 2018, OCR received a second complaint alleging that Wise Psychiatry still had not provided the personal representative with access to his minor son's medical records. OCR initiated an investigation and determined that Wise Psychiatry's failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR's investigation, Wise Psychiatry sent the personal representative his son's medical records in May 2019.
Although the fines are not huge, OCR's enforcement actions are designed to send a message to the healthcare industry about the importance and necessity of compliance with the HIPAA Rules. OCR considers a variety of factors in determining the amount of a settlement including the nature and extent of the potential HIPAA violation; the nature and extent of the harm resulting from the potential HIPAA violation; the entity's history with respect to compliance with the HIPAA Rules; the financial condition of the entity, including its size and the impact of the COVID-19 public health emergency; and other matters as justice may require.
"Patients can't take charge of their healthcare decisions, without timely access to their own medical information," said OCR Director Roger Severino in a statement. "Today's announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough."