New HIPAA fines stress patient right to access their records

OCR Settles Five More Investigations in HIPAA Right of Access Initiative

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announces that it has settled five more investigations in its HIPAA Right of Access Initiative this year. OCR announced this initiative as an enforcement priority in 2019 to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. The five settlements announced below bring OCR’s total to seven completed enforcement actions under the Right of Access Initiative.

Housing Works, Inc.

Housing Works Inc. (Housing Works) has agreed to pay $38,000 to OCR and to adopt a corrective action plan to settle a potential violation of the HIPAA Privacy Rule’s right of access provision. Housing Works is a New York City based non-profit organization that provides health care, homeless services, advocacy, job training, reentry services, and legal aid support for people living with and affected by HIV/AIDS.

In July 2019, OCR received a complaint alleging that, in June 2019, Housing Works failed to provide the complainant with a copy of his medical records. OCR provided Housing Works with technical assistance on the HIPAA Right of Access requirements and closed the complaint. In August 2019, OCR received a second complaint alleging that Housing Works still had not provided the complainant with access to his records. OCR initiated an investigation and determined that Housing Work’s failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, the complainant received his medical records in November 2019.

All Inclusive Medical Services, Inc.

All Inclusive Medical Services, Inc. (AIMS) has agreed to pay $15,000 to OCR and to adopt a corrective action plan to settle a potential violation of the HIPAA Privacy Rule’s right of access provision. AIMS, based in Carmichael, California, is a multi-specialty family medicine clinic that provides a variety of services including internal medicine, and pain management and rehabilitation.

In April 2018, OCR received a complaint alleging that in January 2018, AIMS refused to give a patient access to her medical records when it denied her requests to inspect and receive a copy of her records. OCR initiated an investigation and determined that AIMS’s actions were potential violations of the HIPAA right of access standard. As a result of OCR’s investigation, AIMS sent the patient her medical records in August 2020.

Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services (BILHBS) has agreed to pay $70,000 to OCR and to adopt a corrective action plan to settle a potential violation of the HIPAA Privacy Rule’s right of access provision. BILHBS is the largest network of mental health and substance use disorder services in eastern Massachusetts.

In April 2019, OCR received a complaint alleging that BILHBS failed to respond to a February 2019 request from a personal representative seeking access to her father’s medical records. OCR initiated an investigation and determined that BILHBS’ failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, BILHBS sent the personal representative the requested medical records in October 2019.

King MD

King MD has agreed to pay $3,500 to OCR and to adopt a corrective action plan to settle a potential violation of the HIPAA Privacy Rule’s right of access provision. King MD is a small health care provider of psychiatric services in Virginia.

In October 2018, OCR received a complaint alleging that King MD failed to respond to an individual’s August 2018 request for access to her medical records. OCR provided King MD with technical assistance on the HIPAA right of access requirements and closed that complaint. In February 2019, OCR received a second complaint alleging that the practice still had not provided the individual with access to her medical records. OCR initiated an investigation and determined that the practice’s failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, King MD sent the individual her medical records in July 2020.

Wise Psychiatry, PC

Wise Psychiatry, PC (Wise Psychiatry) has agreed to pay $10,000 to OCR and to adopt a corrective action plan to settle a potential violation of the HIPAA Privacy Rule’s right of access provision. Wise Psychiatry is a small health care provider that provides psychiatric services in Colorado.

In February 2018, OCR received a complaint alleging that Wise Psychiatry failed to provide a personal representative with access to his minor son’s medical records. The complainant requested access in November 2017. OCR provided Wise Psychiatry with technical assistance on the HIPAA right of access requirements and closed that complaint in April 2018. In October 2018, OCR received a second complaint alleging that Wise Psychiatry still had not provided the personal representative with access to his minor son’s medical records. OCR initiated an investigation and determined that Wise Psychiatry’s failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, Wise Psychiatry sent the personal representative his son’s medical records in May 2019.

Sending a Message about the Importance of Access to Health Records

OCR’s enforcement actions are designed to send a message to the health care industry about the importance and necessity of compliance with the HIPAA Rules. OCR considers a variety of factors in determining the amount of a settlement including the nature and extent of the potential HIPAA violation; the nature and extent of the harm resulting from the potential HIPAA violation; the entity’s history with respect to compliance with the HIPAA Rules; the financial condition of the entity, including its size and the impact of the COVID-19 public health emergency; and other matters as justice may require.

“Patients can’t take charge of their health care decisions, without timely access to their own medical information,” said OCR Director Roger Severino. “Today’s announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough,” Severino added.

Housing Works will undertake a corrective action plan that includes one year of monitoring. The resolution agreement and correction action plan is at: https://www.hhs.gov/sites/default/files/housing-works-signed-ra-cap.pdf – PDF*

AIMS will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and correction action plan is at: https://www.hhs.gov/sites/default/files/aims-resolution-agreement.pdf – PDF*

BILHBS will undertake a corrective action plan that includes one year of monitoring. The resolution agreement and corrective action plan is at: https://www.hhs.gov/sites/default/files/beth-israel-lahey-health-behavioral-services-ra-cap.pdf – PDF*

King MD will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan is at: https://www.hhs.gov/sites/default/files/king-md-ra-cap.pdf – PDF*

Wise Psychiatry will undertake a corrective action plan that includes one year of monitoring. The resolution agreement and corrective action plan is at: https://www.hhs.gov/sites/default/files/wise-psychiatry-resolution-agreement-corrective-action-plan.pdf – PDF*

2 thoughts on “New HIPAA fines stress patient right to access their records”

  1. I believe patients are the owner of med records content. Copies should be available in a timely manner, no more than 7 working days, and at a reasonable cost of no more than $0.05 per double sided/faced printed copied sheet. The medical facility has been reimbursed nicely for the care rendered. Personal opinion of a physician….

    Reply
    • HIPAA agrees with you that there should be easy patient access. The difference is that records requests under HIPAA allow up to 30 days to respond. Some states like Wisconsin provide free medical records to patients and their representatives, while others set various prices. HIPAA allows a provider to charge the actual cost of reproduction, which may be lower than state rates and limit state rates if applicable. In my experience, that would typically be less than your 5 cents per page suggestion because it does not include staff time. The patient may request the records in digital format, which may drive the allowable costs down to the cost of a blank DVD for unlimited pages.

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.