 Home 5 Lab Industry Advisor 5 Essential 5 OCR Doles Out Record Fine for Right of Access Violation

OCR Doles Out Record Fine for Right of Access Violation

by Glenn S. Demby | Aug 16, 2022 | Essential, HIPAA-nir, National Lab Reporter

On July 15, the Department of Health & Human Services Office for Civil Rights announced 11 new enforcement actions, including the biggest penalty doled out since the agency began the right of access program back in April 2019—$240,000 against Texas nonprofit Memorial Hermann Health System.

A female healthcare office assistant in light blue scrubs hands medical records and a pen to a female patient. Stock photo.

While federal healthcare enforcement policy has changed significantly since the Biden administration took over, the one initiative that has remained on steady course is the crackdown on providers that fail to provide patients timely access to their protected health information (PHI) under the HIPAA Privacy Rule. On July 15, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) announced 11 new enforcement actions, including the biggest penalty doled out since the agency began the right of access program back in April 2019—$240,000 against Texas nonprofit Memorial Hermann Health System.

The HIPAA Privacy Rule 30-Day Rule

The HIPAA Privacy Rule requires labs and other covered entities to respond to an individual’s request for access to their PHI within 30 calendar days. Providers can extend the deadline an additional 30 calendar days by sending the requestor a written statement explaining the reasons for the delay and the date by which the access request will be processed.

These timelines apply regardless of whether the requested PHI is maintained by the covered entity or a business associate acting on its behalf. In other words, labs don’t get extra time to sort things out with their business associates. Significantly, the 30-day clock begins to tick when the access request is received rather than the date any negotiations with the requestor end.

The OCR Right of Access Crackdown

Foot dragging has been a problem almost from the moment the 30-day right of access rule took effect. Previously, patients would complain to the OCR, which would then intervene and maybe issue a warning to the provider. Actual penalties, however, were fairly rare.

All that changed in April 2019, when the OCR announced a new enforcement initiative to impose penalties on access delays. “It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records,” noted current OCR director Lisa J. Pino in announcing the latest round of enforcement actions.

The OCR has now handed out 38 penalties, seven of them in the six-figure range, under the initiative. In addition to the monetary settlement, each accused provider was required to implement a corrective action plan and allow the OCR to conduct close monitoring for one to two years.

Here’s a scorecard of all announced settlements to date.

OCR Right of Access Initiative Settlements Scorecard (as of August 5, 2022)

entries per page

Search:

Provider	Settlement Amount	Allegations
Memorial Hermann Health System	$240,000	Texas nonprofit health system’s billing department failed to provide patient complete medical and billing records despite 5 different requests
Banner Health ACE	$200,000	OCR cites two occasions in which Phoenix-based not-for-profit health system took about 6 months to provide patients their requested PHI
Rainrock Treatment Center, LLC dba Monte Nido Rainrock	$160,000	Florida eating disorder treatment center took more than 8 months to fulfill patient’s request for a copy of her medical records
St. Joseph’s Hospital and Medical Center	$160,000	Phoenix hospital refused to provide PHI to patient’s mother even though she was his legal representative
ACPM Podiatry	$100,000	In response to initial complaint and OCR intervention, Illinois podiatry practice agreed to provide patient requested medical records but reneged on its agreement despite patient’s multiple requests
Dr. Robert Glaser	$100,000	New York cardiovascular disease and internal medicine doctor didn’t cooperate with OCR’s investigation or respond to its data requests after not providing patient a copy of their medical record
NY Spine Medicine	$100,000	Neurology practice refuses patient’s multiple requests for copies of specific diagnostic films
Bayfront Hospital	$85,000	Florida hospital didn’t provide expectant mother timely access to the PHI of her unborn child
Korunda Medical	$85,000	After first refusing to provide it at all, Florida primary care and interventional pain management services provider sent patient’s PHI to third party in the wrong format and charged him excessive fees
Children’s Hospital & Medical Center	$80,000	Nebraska hospital failed to provide mother of minor patient timely access to her daughter’s medical records, despite repeated requests

Showing 1 to 10 of 37 entries

*In addition to the monetary settlement, each accused provider had to agree to implement a corrective action plan and allow the OCR to conduct close monitoring for one to two years

Sign up for our free weekly Lab & Pathology Insider email newsletter

Email*

Country*

Subscribe to view Essential

Start a Free Trial for immediate access to this article

TRY FOR FREE