HHS Issues Another HIPAA 'Right of Access' SettlementSmall Plastic Surgery Practice Pays Financial Penalty, Agrees to Corrective Actions
The Department of Health and Human Services has issued its 18th enforcement action in a case involving failure to provide timely access to a patient's requested health records, demonstrating that even the smallest organizations aren't exempt from enforcement efforts.
In the latest settlement, a small cosmetic plastic surgery practice - Ridgewood, N.J.-based Village Plastic Surgery - agreed to pay a $30,000 penalty and implement a corrective action plan.
Timely Access Failure
HHS' Office for Civil Rights says a complaint was filed with in September 2019 alleging that the practice failed to take timely action in response to a patient's records access request made in August 2019. The practice is owned by Pedramine "Pedy" Ganchi, M.D.
OCR says its investigation into the complaint determined that the practice's failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard, which currently requires a covered entity to take action on an access request within 30 days of receipt, or within 60 days if an extension is applicable.
Under proposed changes to the HIPAA Privacy Rule, OCR is considering reducing to 15 days the deadline for fulfilling patients' requests to access their health information.
As a result of OCR's investigation, Village Plastic Surgery provided the patient access to the requested records, the agency says.
“OCR’s right of access initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner," said Robinsue Frohboese, acting director of OCR. "Covered entities must comply with their HIPAA obligations, and OCR will take appropriate remedial actions if they do not.”
Under the resolution agreement with HHS OCR, the practice has agreed to implement a number of corrective actions. Those include: review, revise and implement policies and procedures related to patients' access to their protected health information, including the practice's methods for calculating a reasonable cost-based fee for access to PHI; provide training to all workforce members on HIPAA records access requirements; and provide HHS with an update on its efforts to fulfill records requests.
Village Plastic Surgery declined Information Security Media Group's request for comment.
In another recent records access case, HHS disclosed on March 24 a $65,000 settlement with Arbour Inc., a behavioral health services organization based in Jamaica Plain, Massachusetts that operates under the name Arbour Hospital (see: HHS Issues 17th HIPAA Right of Access Settlement).
Since OCR launched its right of access initiative in April 2019, the agency has issued 18 settlements, with financial payments ranging from $3,500 to $200,000.
Calling Attention to Compliance
"The ‘right of access’ initiative indicates that OCR enforcement can make covered entities more aware of the need to comply with HIPAA," says regulatory attorney Paul Hales of Hales Law Group.
"It’s apparent that many providers including large organizations just don’t regard HIPAA compliance as an urgent priority. Private lawsuits are getting some attention, but I’d like to see OCR continue to ramp up enforcement to alert C-suites and boards of directors to the dangers presented by non-compliance with HIPAA," he says.
Hales suggests that OCR could increase its HIPAA compliance enforcement scrutiny without requiring additional federal budget appropriations. That's because enforcement activities and additional staff can be fully funded by civil monetary penalties and settlement payments collected by the agency, he notes.