HHS’ Office for Civil Rights Reports 5 Financial Fines for HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) is moving forward with its enforcement of the HIPAA Right of Access compliance and has reported 5 more financial penalties. The HIPAA Right of Access enforcement project was started in the autumn of 2019 as a reaction to a considerable number of grievances from patients who didn’t get prompt access to their medical data.

The HIPAA Privacy Rule calls for covered entities to give patients access to their health documents. A copy of the health data needs to be delivered within 30 days after the request is made, though a 30-days extension could be approved in certain cases. HIPAA-covered entities are allowed to demand payment from patients for the copy of medical documents, nevertheless, they may simply ask for a sensible, cost-based amount. Labor costs are just acceptable for replicating or otherwise generating and delivering the PHI soon after it has been identified.

The enforcement measures at this point were not required for asking for excessive sums, merely for impermissibly failing to give a copy of the needed documents or for unnecessary slowdowns. In certain cases, patients had to wait a few months before they were given a copy of their data.

Based on the most recent announcement of OCR, there are up to 25 HIPAA Right of Access enforcement actions issued with the 2019 enforcement initiative.

In the five new incidents mentioned below, OCR established the healthcare organizations violated 45 C.F.R. § 164.524 and did not provide punctual access to protected health information (PHI) concerning the individual after obtaining a request.

Denver Retina Center based in Denver, CO, a company providing ophthalmological services, settled its issue with OCR and paid a $30,000 financial penalty. It will be supervised for compliance with its corrective action plan for 12 months. A patient reported that she had requested her medical documents in December 2018 yet didn’t acquire a copy of her data until July 26, 2019. OCR had given technical help to the healthcare company following receiving a prior HIPAA Right of Access report from the same patient and closed the case. When information was acquired regarding the continued inability to comply the case was re-started. OCR confirmed that aside from the delay, Denver Retina Center had access policies and processes that weren’t compliant with the HIPAA Privacy Rule, as expected by 45 C.F.R. § 164.530(i).

Advanced Spine & Pain Management, a healthcare provider of chronic pain-associated medical services in Cincinnati and Springboro, OH, had settled OCR’s investigation and made a $32,150 payment for the financial penalty. OCR will monitor the provider’s implementation of its corrective action plan for 2 years. The investigation was done because of a complaint from a patient who made a request for his health files on November 25, 2019, yet failed to get the records until March 19, 2020.

Rainrock Treatment Center LLC (doing business as Monte Nido Rainrock) based in Eugene, OR, a residential eating disorder treatment services provider, satisfied OCR’s investigation and made payment for $160,000 financial penalty and is going to be checked if complying with the corrective action plan for a year. OCR received 3 patient complaints about not receiving the requested copy of her medical data. The patient submitted a request for a copy of her information on October 1, 2019, and November 21, 2019, and did not obtain the requested information until May 22, 2020.

Cardiovascular disease and internal medicine physician Dr. Robert Glaser in New Hyde Park, NY didn’t work with OCR throughout the investigation, even though did not disagree with the discoveries and waived his right to a hearing. OCR issued a civil monetary penalty amounting to $100,000. An investigation was started right after getting a complaint from an ex-patient who claimed he had sent several written and verbal requests for a copy of his health information from 2013 to 2014. The complaint was submitted to OCR on November 9, 2017, which was closed by OCR on December 15, 2017, right after informing Dr. Glaser to look into the complaint and deliver the required documents if the requests were in keeping with the HIPAA Right of Access. The patient sent another complaint to OCR on March 20, 2018, and gave proof of additional written requests. OCR attempted to communicate with Dr. Glaser a number of times by letter and telephone, however, he repeatedly didn’t respond, consequently the decision to enforce a civil monetary penalty.

Wake Health Medical Group located in Raleigh, NC, primary care and other medical care services provider, resolved OCR’s investigation and paid $10,000 as financial fine and will carry out corrective action to avert more HIPAA Right of Access violations. OCR got a patient complaint after the patient asked for a copy of her health documents on June 27, 2019 and paid a flat fee of $25, which is the typical rate charged by Wake Health Medical Group for furnishing copies of medical information. Since the time of the settlement, the patient still didn’t get the requested documents.