Electronic Healthcare Records , Governance & Risk Management , HIPAA/HITECH
Fines Tied to Failure to Provide Patients With Records
HIPAA Settlements Spotlight Patient 'Right of Access'Federal regulators have smacked five more healthcare organizations with financial settlements for failing to provide individuals with timely access to health information as required under HIPAA. Earlier, regulators announced two other similar settlements.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The Department of Health and Human Services’ Office for Civil Rights, in a statement issued Tuesday, says the cases are part of the agency’s “right of access initiative” launched last year. The initiative prioritizes HIPAA Privacy Rule enforcement efforts supporting individuals' right to obtain timely access to their health records at a reasonable cost.
"Patients can't take charge of their healthcare decisions without timely access to their own medical information," says Roger Severino, OCR director. “The enforcement actions are about empowering patients and holding healthcare providers accountable for failing to take their HIPAA obligations seriously enough.”
Small Settlements, Big Message?
Some regulatory experts say that while the settlements have relatively small penalties, ranging from $3,500 to $70,000, the cases spotlight how HHS is emphasizing the importance of giving patients access to their health information.
“The industry needs to be paying close attention to access requests and handling them responsibly,” says privacy attorney Kirk Nahra, of the law firm WilmerHale. “If there are complaints, they need to be addressed promptly and effectively.”
Last fall, OCR announced two $85,000 records access settlements with Florida-based entities Bayfront Health St. Petersburg and Korunda Medical.
Five Settlement Cases
At least three of the recent HIPAA settlements involve situations in which OCR received second complaints from individuals alleging the healthcare organizations failed to provide timely access to patients’ records upon request. Those complaints came after the agency had already provided technical assistance to the entities upon receiving the first complaint.
The largest of the five recent settlements imposed a $70,000 penalty against Massachusetts-based Beth Israel Lahey Health Behavioral Services.
OCR says it received a complaint that the organization failed to respond to a request from someone seeking access to her father's medical records. As a result of OCR's investigation, the organization eventually provided the requested medical records.
OCR’s $38,000 settlement with New York-based Housing Works Inc., a nonprofit organization that provides healthcare, homeless services and advocacy support for people affected by HIV/AIDS, stems from a complaint that the organization failed to provide an individual with a copy of his medical records.
Although OCR providing Housing Works with technical assistance, the agency received a second complaint alleging that Housing Works still had not provided the individual with access to his records.
OCR says its $15,000 settlement with All Inclusive Medical Services, a California-based multispecialty family medicine clinic, is tied to a complaint that the organization denied a patient’s request to inspect and receive a copy of her records. The patient eventually obtained her records after OCR investigated.
A $10,000 settlement with Colorado-based Wise Psychiatry notes that the practice failed to provide someone with access to his minor son's medical records. After OCR provided the organization with technical assistance following the complaint, the agency later received a second complaint alleging that Wise Psychiatry still had not provided the records access.
OCR says King MD, a small provider of psychiatric services in Virginia, agreed to pay a $3,500 settlement also pertaining to a repeat complaint case. OCR says that King MD failed to respond to an individual's request for access to her medical records despite OCR providing the practice with technical assistance.
Each of the five settlements require the entities to undertake corrective actions to improve their compliance with the HIPAA right of access provision.
None of the five entities signing settlements with OCR immediately responded to Information Security Media Group’s requests for comment.
Records Access Initiatives
In addition to these recent HIPAA settlements involving right of access cases, HHS earlier this year rolled out information blocking and health IT interoperability final rules called for under the 21st Century Cures Act. Besides tackling health data exchange issues, the rules aim to improve patients’ secure access to their health data. That includes promoting the use of standardized application programming interfaces for patients to securely access information from electronic health records using smartphones and other mobile devices (see ONC’s Donald Rucker: More Work to Do on Health Data Privacy).
"It is crucial that healthcare organizations carefully review their policies and procedures to ensure they meet the standards of the HIPAA Privacy Rule and that they are being applied appropriately and uniformly."
—David Holtzman, HITprivacy LLC
The new regulations required under the 21st Century Cures Act “expand upon the HIPAA standards” by requiring healthcare providers to offer individuals more options for how they can conveniently access their electronic health data – such as via smartphone apps, notes privacy attorney David Holtzman, of consulting firm HITprivacy LLC.
“But these innovations come at the cost of patients gambling on the confidentiality of their health information as they navigate a loosely regulated marketplace of app developers whose business models may depend on mining data about the individuals that use their technology,” he says.
Mental Health Records
Holtzman notes that four out of five of OCR’s enforcement actions focused on complaints involving obtaining patient records from behavioral health providers.
“This is an area that is fraught with complex considerations that would allow healthcare providers to withhold access to records under certain circumstances,” he says.
“It is crucial that healthcare organizations carefully review their policies and procedures to ensure they meet the standards of the HIPAA Privacy Rule and that they are being applied appropriately and uniformly.”