HHS Issues Another 'Right of Access' SettlementSecond-Largest Fine in String of Patient Records Access Cases
In the tenth HIPAA enforcement action in recent weeks, federal regulators have announced a $100,000 settlement in yet another case involving failure to provide a patient with timely access to their health records.
In a statement Friday, the Department of Health and Human Services’ Office for Civil Rights says its settlement with NY Spine Medicine includes a corrective action plan that must be implemented by the private medical practice, which specializes in neurology and pain management. The practice has offices in New York and Miami Beach.
The case is OCR’s ninth “right of access” settlement since launching an initiative last year to support individuals' rights to have timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.
On Wednesday, OCR issued its largest right of access enforcement action to date - a $160,000 monetary settlement and corrective action plan with Phoenix-based Dignity Health, which does business as St. Joseph's Hospital and Medical Center (see: Biggest 'Right to Access Records' Penalty Announced).
Last month, OCR announced five other settlements ranging from $3,500 to $70,000 (see: Fines Tied to Failure to Provide Patients With Records).
And last fall, OCR unveiled its first two settlements in patient right of access cases - each with an $85,000 penalty.
The Latest Case
The resolution agreement in the NY Spine case notes that, in July 2019, OCR received a complaint from an individual alleging that, beginning in June 2019, she made multiple requests to the practice for a copy of her medical records.
NY Spine provided some of the records, but did not provide the diagnostic films requested, the agency notes.
“OCR initiated an investigation and determined that NY Spine’s failure to provide timely access to all of the requested medical records was a potential violation of the right of access standard,” OCR says. As a result of OCR’s investigation, the patient received all of the requested medical records this month.
“No one should have to wait over a year to get copies of their medical records,” says Roger Severino, OCR director. “HIPAA entitles patients to timely access to their records, and we will continue our stepped-up enforcement of the right of access until covered entities get the message.”
Under the settlement, NY Spine has agreed to take a number of corrective actions, including:
- Developing and implementing written policies and procedures to comply with the federal standards that govern the privacy of individually identifiable health information, including patient right of access to records;
- Distributing the policies and procedures to all workforce members and relevant business associates;
- Providing training to all workforce members who are involved in receiving or fulfilling records access requests.
In addition to the recent cluster of right of access cases, OCR last month issued three multimillion-dollar HIPAA settlements following breaches involving hacking incidents.
The largest of those - a $6.8 million settlement with Premera Blue Cross - was issued last month in a case involving a 2014 breach that exposed information on 10.4 million individuals.