OCR Cracking Down on Providers Who Violate HIPAA’s Right of Access Requirement

HIPAA Privacy Rule’s right of access requires healthcare providers to give patients access to their health records upon request and for a reasonable fee. However, many providers are either slow to respond, fail to respond, or when they do respond, have charged excessive amounts of money for those records.

Although many providers have gotten away with ignoring their responsibility under this provision, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services is now vigorously enforcing this provision as evidenced by two recent actions the agency has taken in recent months.

Earlier this month, OCR announced its second enforcement action of the year. Korunda Medical LLC, a Naples, Florida-based company that provides comprehensive primary care and interventional pain management services, agreed to take corrective action and pay $85,000 to settle potential violations of the right of access provision.

OCR said it received a complaint in March 2019 from a patient alleging that despite repeated requests, Korunda failed to forward their electronic health records to a third party. OCR stated that it provided Korunda with technical assistance on how to correct the problem and closed the complaint, only to have to reopen it when Korunda continued to fail to provide the requested records, resulting in a second complaint to OCR. The requested records were finally provided two months later without cost.

In addition to the fine, Korunda agreed to a corrective action plan that includes a year of monitoring, as well as the revision of its policies and procedures for providing patients with access to their protected health information.

In September, OCR announced its first enforcement action against Bayfront Health St. Petersburg, a Level II trauma and tertiary care center licensed as a 480-bed hospital. In that case, the St. Petersburg, Florida-based hospital was alleged to have failed to provide a mother with timely access to records about her unborn child. OCR initiated an investigation after the patient complained. As a result, the records were provided more than nine months after the initial request.

HIPAA rules generally required medical records be provided within 30 days of the request and that providers charge a reasonable cost-based fee. Bayfront paid an $85,000 settlement and agreed to a corrective action plan.

Ciitizen, a consumer health tech company which has created a Patient Record Scorecard reported last month that while more providers (40 percent) are complying with HIPAA’s right of access provision, about 51 percent are still failing to do so, or require “significant intervention to be compliant.†Sending records in the form and format requested by the patient still continues to be the biggest reason for noncompliance with HIPAA, according to its report.

OCR has made it clear that it will be taking action against providers who do not comply. Providers would be well advised to review their policies and practices to ensure patient that they are in compliance with HIPAA rules. 

The Health Law Offices of Anthony C. Vitale can assist you in reviewing your policies and procedures. Contact us for additional information at 305-358-4500 or send us an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.