OCR Cracks Down on Providers Who Don’t Provide Individuals Timely Access to PHI
The HIPAA Privacy Rule requires labs and other health care providers to provide persons on whom they keep health records and other protected health information (PHI) timely access to that information at a reasonable cost. But while the access rules have been on the books for decades, they’ve historically received less attention from enforcers than other parts of the law. But suddenly that has all changed. Once unheard of, fines against providers for failing to meet their PHI access responsibilities under HIPAA are becoming a common occurrence. The OCR Right of Access Initiative It all began in April 2019, when the Office of Civil Rights (OCR), the HHS agency that’s responsible for enforcing HIPAA, announced its intention to make enforcement of individual access rights a priority for the coming year and beyond. Lest anybody thought it was just a bluff, in September 2019, the OCR announced its first ever monetary settlement with a provider for a HIPAA right of access claim—$85,000 against Florida’s Bayfront Hospital for allegedly denying an expectant mother timely access to the PHI of her unborn child. Before the year was out, the agency would do it again, announcing another settlement with a Florida provider, Korunda Medical, […]
The HIPAA Privacy Rule requires labs and other health care providers to provide persons on whom they keep health records and other protected health information (PHI) timely access to that information at a reasonable cost. But while the access rules have been on the books for decades, they’ve historically received less attention from enforcers than other parts of the law. But suddenly that has all changed. Once unheard of, fines against providers for failing to meet their PHI access responsibilities under HIPAA are becoming a common occurrence.
The OCR Right of Access Initiative
It all began in April 2019, when the Office of Civil Rights (OCR), the HHS agency that’s responsible for enforcing HIPAA, announced its intention to make enforcement of individual access rights a priority for the coming year and beyond. Lest anybody thought it was just a bluff, in September 2019, the OCR announced its first ever monetary settlement with a provider for a HIPAA right of access claim—$85,000 against Florida’s Bayfront Hospital for allegedly denying an expectant mother timely access to the PHI of her unborn child.
Before the year was out, the agency would do it again, announcing another settlement with a Florida provider, Korunda Medical, accused of failing to send a patient’s PHI to a third party in a timely manner despite repeated requests. When it finally did transmit the information, the primary care and interventional pain management services provider allegedly didn’t do so in the requested electronic format and charged the patient excessive fees. Only after the OCR intervened for the second time did Korunda adequately fulfill the request. As in the Bayfront Hospital case, the settlement amount was $85,000. And like Bayfront, Korunda also had to implement a burdensome corrective action plan as part of the settlement.
Act 2 of the Access Initiative
Not surprisingly, OCR access enforcement activity slowed considerably with the onset of the COVID-19 public health emergency. However, the interlude—if that’s what it was—is apparently over. During the month of September, the OCR announced no fewer than five new settlements under the Right of Access Initiative, with settlement amounts ranging from $3,500 to $70,000. In each case, the provider also had to implement a corrective action plan and submit to one to two years of close OCR monitoring.
Then, on Oct. 9, the OCR unveiled its biggest Right of Access Initiative settlement yet, a $160,000 agreement with Phoenix-based St. Joseph’s Hospital and Medical Center (SJHMC). The case began when a mother complained to OCR about SJHMC’s repeated refusals to provide her access to the PHI of her son despite her legal status as his personal representative. Only after OCR intervened did SJHMC provide all the requested PHI, more than 22 months after her initial request. In addition to the hefty settlement price, SJHMC had to agree to implement a corrective action plan and undergo OCR monitoring for two years.
OCR Right of Access Initiative Settlements Scorecard
| Provider | Settlement Amount* | Allegations |
|---|---|---|
| St. Joseph’s Hospital and Medical Center | $160,000 | Phoenix hospital refused to provide PHI to patient’s mother even though she was his legal representative |
| NY Spine Medicine | $100,000 | Neurology practice refuses patient’s multiple requests for copies of specific diagnostic films |
| Bayfront Hospital | $85,000 | Florida hospital didn’t provide expectant mother timely access to the PHI of her unborn child |
| Korunda Medical | $85,000 | After first refusing to provide it at all, Florida primary care and interventional pain management services provider sent patient’s PHI to third party in the wrong format and charged him excessive fees |
| Beth Israel Lahey Health Behavioral Services | $70,000 | Massachusetts provider ignored request of personal representative seeking access to her father’s PHI |
| Housing Works Inc. | $38,000 | New York City non-profit services provider refused patient’s request for a copy of his medical records |
| All Inclusive Medical Services, Inc. | $15,000 | California multi-specialty family medicine clinic refused patient’s requests to inspect and receive a copy of her records |
| Wise Psychiatry, PC | $10,000 | Colorado psychiatric firm refused to provide personal representative access to his minor son’s medical record |
| King MD | $3,500 | Virginia psychiatric practice didn’t provide patient access to her medical records even after OCR intervened, provided technical assistance and closed the complaint |
| *In addition to the monetary settlement, each accused provider had to agree to implement a corrective action plan and allow the OCR to conduct close monitoring for one to two years | ||
How OCR Determines Settlement Amounts
As with other HIPAA violations, the OCR considers a variety of factors in determining the amount of a settlement for a failure to comply with PHI access rules, including:
- The nature and extent of the potential violation;
- The nature and extent of the harm resulting from the potential violation;
- The provider’s history of compliance with the HIPAA Rules, or lack therof;
- The provider’s financial condition, including its size and the impact of the COVID-19 public health emergency; and
- “Other matters as justice may require.”
Takeaway
The OCR Right of Access Initiative has become a significant compliance factor and an incentive for ensuring that labs respond to PHI access request within the required 30 days. Delaying action on the request beyond the deadline raises the risk of complaints to the OCR, followed by investigations and potentially costly settlements. Labs incur the same risks if they send requested PHI in the wrong format or charge excessive fees for processing PHI access requests. “For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia,” declared OCR Director Roger Severino. “We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.”
Subscribe to view Essential
Start a Free Trial for immediate access to this article