OCR Doles Out Record Fine for Right of Access Violation
On July 15, the Department of Health & Human Services Office for Civil Rights announced 11 new enforcement actions, including the biggest penalty doled out since the agency began the right of access program back in April 2019—$240,000 against Texas nonprofit Memorial Hermann Health System.
While federal healthcare enforcement policy has changed significantly since the Biden administration took over, the one initiative that has remained on steady course is the crackdown on providers that fail to provide patients timely access to their protected health information (PHI) under the HIPAA Privacy Rule. On July 15, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) announced 11 new enforcement actions, including the biggest penalty doled out since the agency began the right of access program back in April 2019—$240,000 against Texas nonprofit Memorial Hermann Health System.
The HIPAA Privacy Rule 30-Day Rule
The HIPAA Privacy Rule requires labs and other covered entities to respond to an individual’s request for access to their PHI within 30 calendar days. Providers can extend the deadline an additional 30 calendar days by sending the requestor a written statement explaining the reasons for the delay and the date by which the access request will be processed.
These timelines apply regardless of whether the requested PHI is maintained by the covered entity or a business associate acting on its behalf. In other words, labs don’t get extra time to sort things out with their business associates. Significantly, the 30-day clock begins to tick when the access request is received rather than the date any negotiations with the requestor end.
The OCR Right of Access Crackdown
Foot dragging has been a problem almost from the moment the 30-day right of access rule took effect. Previously, patients would complain to the OCR, which would then intervene and maybe issue a warning to the provider. Actual penalties, however, were fairly rare.
All that changed in April 2019, when the OCR announced a new enforcement initiative to impose penalties on access delays. “It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records,” noted current OCR director Lisa J. Pino in announcing the latest round of enforcement actions.
The OCR has now handed out 38 penalties, seven of them in the six-figure range, under the initiative. In addition to the monetary settlement, each accused provider was required to implement a corrective action plan and allow the OCR to conduct close monitoring for one to two years.
Here’s a scorecard of all announced settlements to date.
OCR Right of Access Initiative Settlements Scorecard (as of August 5, 2022)
Provider | Settlement Amount | Allegations |
---|---|---|
Memorial Hermann Health System | $240,000 | Texas nonprofit health system’s billing department failed to provide patient complete medical and billing records despite 5 different requests |
Banner Health ACE | $200,000 | OCR cites two occasions in which Phoenix-based not-for-profit health system took about 6 months to provide patients their requested PHI |
Rainrock Treatment Center, LLC dba Monte Nido Rainrock | $160,000 | Florida eating disorder treatment center took more than 8 months to fulfill patient’s request for a copy of her medical records |
St. Joseph’s Hospital and Medical Center | $160,000 | Phoenix hospital refused to provide PHI to patient’s mother even though she was his legal representative |
ACPM Podiatry | $100,000 | In response to initial complaint and OCR intervention, Illinois podiatry practice agreed to provide patient requested medical records but reneged on its agreement despite patient’s multiple requests |
Dr. Robert Glaser | $100,000 | New York cardiovascular disease and internal medicine doctor didn’t cooperate with OCR’s investigation or respond to its data requests after not providing patient a copy of their medical record |
NY Spine Medicine | $100,000 | Neurology practice refuses patient’s multiple requests for copies of specific diagnostic films |
Bayfront Hospital | $85,000 | Florida hospital didn’t provide expectant mother timely access to the PHI of her unborn child |
Korunda Medical | $85,000 | After first refusing to provide it at all, Florida primary care and interventional pain management services provider sent patient’s PHI to third party in the wrong format and charged him excessive fees |
Children’s Hospital & Medical Center | $80,000 | Nebraska hospital failed to provide mother of minor patient timely access to her daughter’s medical records, despite repeated requests |
Renown Health, P.C. | $75,000 | Nevada private, not-for-profit health system didn’t timely honor patient’s request to transfer her EHR and billing records to a third party |
Sharp Rees-Stealy Medical Centers | $70,000 | California hospital and healthcare network didn’t timely honor request to transfer patient’s EHR to a third party |
Beth Israel Lahey Health Behavioral Services | $70,000 | Massachusetts provider ignored request of personal representative seeking access to her father’s PHI |
Southwest Surgical Associates | $65,000 | Group practice in Greater Houston, TX area failed to provide patient timely access to their requested PHI |
Arbour Hospital | $65,000 | Massachusetts mental health services provider kept patient waiting 5 months before granting access to his PHI |
University of Cincinnati Medical Center, LLC | $65,000 | Ohio academic medical center failed to respond to patient’s request to send an electronic copy of her medical records maintained in its EHR to her lawyers |
Hillcrest Nursing and Rehabilitation | $55,000 | Massachusetts rehab agency failed to provide an individual’s personal representative with timely access to her son’s medical records |
MelroseWakefield Healthcare | $55,000 | Massachusetts provider didn’t furnish personal representative timely access to medical records under a durable power of attorney based on mistaken belief that the power of attorney didn’t permit provision of those records |
Erie County Medical Center Corporation | $50,000 | Buffalo, NY hospital didn’t timely provide individual a complete copy of his medical records |
Housing Works Inc. | $38,000 | New York City non-profit services provider refused patient’s request for a copy of his medical records |
Peter Wrobel, M.D., P.C., dba Elite Primary Care | $36,000 | Georgia primary care practice failed to provide patient access to his medical records |
*Advanced Spine & Pain Management | $32,150 | Ohio pain services provider took nearly 4 months to provide patient requested medical records |
Fallbrook Family Health Center | $30,000 | Nebraska provider failed to provide timely access to medical records |
Dr. Donald Brockley, D.D.M | $30,000 | Pennsylvania solo practitioner dentist failed to provide a patient a copy of their medical record |
Denver Retina Center | $30,000 | Colorado ophthalmological services provider took 8 months to provide requested medical records and lacked compliant access policies |
Village Plastic Surgery | $30,000 | New Jersey practice failed to provide patient timely access to his medical records |
Jacob and Associates | $28,000 | Psychiatric practice with two offices in California failed to provide a patient requested access to her medical records, ignoring her annual requests for 5 years in a row |
Riverside Psychiatric Medical Group | $25,000 | California medical group didn’t provide patient copy of her medical records despite repeated requests and OCR intervention |
Associated Retina Specialists | $22,500 | New York provider didn’t give patient a copy of her medical records until three days after OCR initiated its investigation, and nearly 5 months after the patient’s first written request |
Coastal Ear, Nose, and Throat | $20,000 | Ormond Beach, Florida practice didn’t provide patient timely access to medical records despite multiple requests |
Dr. Rajendra Bhayani | $15,000 | NY physician didn’t provide patient her medical records even after OCR intervened and closed the complaint |
All Inclusive Medical Services, Inc. | $15,000 | California multi-specialty family medicine clinic refused patient’s requests to inspect and receive a copy of her records |
Wake Health Medical Group | $10,000 | North Carolina primary care provider never furnished requested records despite charging patient $25 access fee |
Wise Psychiatry, PC | $10,000 | Colorado psychiatric firm refused to provide personal representative access to his minor son’s medical record |
Lawrence Bell, Jr., D.D.S. | $5,000 | Baltimore, MD dental practice failed to provide timely access to a patient’s medical record |
Diabetes, Endocrinology & Lipidology Center, Inc. | $5,000 | West Virginia diabetes clinic made the mother of a minor patient wait nearly 2 years for access to his medical records |
King MD | $3,500 | Virginia psychiatric practice didn’t provide patient access to her medical records even after OCR intervened, provided technical assistance, and closed the complaint |
*In addition to the monetary settlement, each accused provider had to agree to implement a corrective action plan and allow the OCR to conduct close monitoring for one to two years
Subscribe to view Essential
Start a Free Trial for immediate access to this article