Enforcement Trends: OCR Continues to Crack Down on HIPAA Right of Access Violations

On Sept. 9, 2019, the Office for Civil Rights (OCR), the HHS agency in charge of federal HIPAA enforcement, did something it had never done before by entering into a monetary settlement with a provider for a HIPAA right of access claim. And before the year was out, it did it again. The OCR Right of Access Initiative The actions are part of the Right of Access Initiative that the agency unveiled in Spring 2019. Although right of access has generated roughly one in three HIPAA complaints, privacy and security breaches have historically been the focus of OCR litigation and Phase 2 compliance audits. The first “trophy” yielded by this major enforcement policy change was the $85,000 September settlement with Florida’s Bayfront Hospital for allegedly denying an expectant mother timely access to the protected health information (PHI) of her unborn child. See National Intelligence Report (NIR), November 2019, for the details. The Most Recent Settlement Coincidentally, the most recent Right of Access Initiative settlement also involved a Florida provider. The cases began in March when the OCR received a complaint about Korunda Medical’s alleged failure to send a patient’s PHI to a third party in a timely manner despite repeated requests. Then, when it finally did transmit the information, the primary care and interventional pain management services provider allegedly didn’t do so in the requested electronic format and charged the patient excessive fees. Only after the OCR intervened for the second time did Korunda adequately fulfill the request. As in the Bayfront Hospital case, the settlement amount was $85,000. And like Bayfront, Korunda also had to implement a burdensome corrective action plan as part of the settlement. Takeaway The deadline for responding to a patient PHI access request is 30 days. To avoid potential audits and liability under the Right of Access Initiative, labs simply cannot afford to drag their feet in meeting the deadline (or charge excessive fees for processing PHI access requests). “For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia,” declared OCR Director Roger Severino. “We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.”