This is a republication of the article below, with the title above.
Healthcare IT News
July 18, 2022
OCR fines 11 healthcare orgs for HIPAA right of access cases
“It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino.
The HHS Office for Civil Rights on Friday said it has settled nearly a dozen investigations of allegations of HIPAA Right of Access Initiative violations.
WHY IT MATTERS
OCR’s enforcement actions, which include some substantial monetary penalties for the following healthcare providers, and compelled them to furnish patients with timely copies of their health records:
- Peoria and Canton, Illinois-based ACPM Podiatry, failed to provide a former patient with his requested medical records, according to OCR. In response to an initial complaint, OCR provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard and closed the matter. OCR received a second complaint from the same individual, alleging that ACPM still had not provided the medical records, after numerous requests. ACPM did not respond to multiple data requests from OCR, nor to OCR’s Letter of Opportunity and Notice of Proposed Determination. OCR issued a Notice of Final Determination and imposed a civil money penalty of $100,000.
- Associated Retina Specialists, of New York, failed to provide a patient with a copy of her medical records until three days after OCR initiated its investigation, and nearly five months after the complainant’s first written request. The practice agreed to take corrective actions and paid $22,500 to settle a potential violation of the HIPAA Privacy Rule right of access standard.
- Baltimore-based Lawrence Bell, Jr., D.D.S., a dental practice, failed to provide timely access to a patient’s medical record, according to OCR. The dental practice has agreed to take corrective actions and has paid $5,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
- Ormond Beach, Florida-based Coastal Ear, Nose, and Throat allegedly failed to provide timely access to medical records after multiple requests for such records from a patient. Coastal ENT has agreed to take corrective actions and has paid $20,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard
- Danbury Psychiatric Consultants, located in Massachusetts, failed to respond timely to a complainant’s access request. DPC also withheld the complainant’s access on the basis that the complainant had an outstanding balance and required a signed request or authorization request. DPC has agreed to take corrective actions and has paid $3500 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
- Erie County Medical Center Corporation, a public benefit corporation that operates a hospital, Erie County Medical Center, located in Buffalo, New York, failed to timely provide an individual with a complete copy of his medical records. ECMC has agreed to take corrective actions and has paid $50,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
- Fallbrook Family Health Center, located in Nebraska, failed to provide timely access to medical records. Fallbrook Family Health Center has agreed to take corrective actions and has paid $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
- Hillcrest Nursing and Rehabilitation, located in Massachusetts, failed to provide an individual’s personal representative with timely access to her son’s medical records. Hillcrest has agreed to take corrective actions and has paid $55,000 to settle a violation of the HIPAA Privacy Rule’s right of access standard.
- MelroseWakefield Healthcare, a provider in Massachusetts, did not provide a personal representative with timely access to medical records on the mistaken basis that the durable power of attorney in this instance did not allow for the provision of such medical records. MWH has agreed to take corrective actions and has paid $55,000 to settle a violation of the HIPAA Privacy Rule’s right of access standard.
- Memorial Hermann Health System, a not-for-profit health system in Southeast Texas, consisting of 17 hospitals, including Memorial Hermann Katy Hospital, failed to respond timely to a complainant’s access request. Memorial Hermann has agreed to corrective actions and has paid $240,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
- Southwest Surgical Associates is a group practice with nine locations in the Greater Houston, TX area, failed to provide an individual timely access to their health information. SWSA has agreed to corrective actions and has paid $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
THE LARGER TREND
The 11 new cases bring the total number of settlements to 38 since OCR began enforcing the HIPAA Right of Access Rule in 2019.
The 11 new cases bring the total number of settlements to 38 since OCR began enforcing the HIPAA Right of Access Rule in 2019.
Despite the more rigorous enforcement, however, some patients are still forced to sue to gain access to their own healthcare information.
ON THE RECORD
“It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino in a statement.
“Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”
Originally published at https://www.healthcareitnews.com on July 18, 2022.
Names mentioned:
OCR Director Lisa J. Pino.