Latest HHS HIPAA Actions Spotlight 'Right of Access' - Again11 New Cases Showcase HHS' Ongoing Top Enforcement Priority
Regulators are showing signs of growing impatient with medical providers that fail to comply with patients' requests for timely access to their health information.
No fewer than 11 of the last dozen HIPAA enforcement actions focused on a right of access dispute. The Department of Health and Human Services announced last Friday one civil monetary penalty and 10 settlements involving potential violations of the HIPAA privacy rule's right of access standard. The financial fines levied range from $3,500 up to $240,000, with a total haul by the government of $646,000.
"It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records," said OCR Director Lisa Pino in a statement.
This crop of settlements and civil monetary penalty cases bring to 38 the tally of HIPAA right of access enforcement actions taken by HHS' Office for Civil Rights since it launched its right of access initiative in April 2019.
Healthcare organizations should "understand that OCR is serious about upholding the law and peoples' fundamental right to timely access to their medical records," Pino said.
After dozens of earlier enforcement actions in the last three years against organizations involved in right of access disputes, why some entities are still struggling to comply with that HIPAA provision is a frustrating mystery to some experts.
"Not providing patients with copies of their medical records is something that has eluded me," says regulatory attorney Rachel Rose. That's especially the case, she adds, since many states have tighter deadlines than HIPAA's 30-calendar-day mandate for complying with an access request. Texas, for example, directs medical providers to furnish medical records within 15 business days.
Right of Access Disputes
HHS OCR alleges that the foot doctor center failed to provide a former patient with his medical records despite multiple requests. It also failed to respond to HHS OCR during the agency's investigation into the patient's complaints.
Ten other covered entities agreed to pay financial settlements to HHS OCR and to implement corrective action plans to improve their compliance with the HIPAA privacy rule and its right of access provision. Those cases include:
- A $240,000 settlement with Memorial Hermann Health System, a not-for-profit health system in Southeast Texas that includes 17 hospitals;
- A $65,000 settlement with Southwest Surgical Associates, a Texas-based group practice with nine locations in the Greater Houston area;
- A $55,000 settlement with Massachusetts-based Hillcrest Nursing and Rehabilitation;
- A $55,000 settlement with Massachusetts-based healthcare provider MelroseWakefield Healthcare;
- A $50,000 settlement with New York-based Erie County Medical Center Corp., a public benefit corporation that operates the hospital Erie County Medical Center;
- A $30,000 settlement with Nebraska-based Fallbrook Family Health Center;
- A $22,500 settlement with New York-based Associated Retina Specialists;
- A $20,000 settlement with Florida-based specialty practice, Coastal Ear, Nose, and Throat;
- A $5,000 settlement with Maryland-based dental practice Lawrence Bell Jr., D.D.S.;
- A $3,500 settlement with Massachusetts-based Danbury Psychiatric Consultants.
Regulatory attorney Paul Hales of the Hales Law Group says that of all the recent actions to enforce patient access, the most disturbing case involved a complaint filed against Memorial Hermann.
That's because in April 2017, the southeastern Texas nonprofit system settled a separate OCR investigation into an unauthorized protected health information disclosure incident involving just one patient.
At that time, Memorial Hermann agreed to pay a hefty $2.4 million financial settlement and implement a corrective action plan to improve its compliance with the HIPAA rules (see: Hefty Penalty for Improper Disclosure of One Patient's Info).
The lesson of the resolution agreement was apparently short-lived, given its $240,000 settlement just announced by HHS OCR, Hales says.
"Now Memorial Hermann is subject to another two-year plan requiring the same corrective actions - privacy rule policy revision, implementation and training. It’s déjà vu all over again," he says.
Memorial Hermann did not immediately respond to Information Security Media Group's request for comment on the recent HIPAA settlement.
In the bigger picture, the variety of organizations newly cited by OCR is telling, Hales says.
"They are large and small, nonprofit and for-profit, diverse geographically and in the nature of services provided. … Providers must develop and implement policies to protect the privacy of protected health information and train their workforce to implement them," he says.
Steps to Take
Rose says organizations can take steps to improve their compliance with the HIPAA right of access provision and ultimately avoid such complaint investigations by HHS OCR.
"Once a request from a patient is received, calendar it through an internal system," she says. "Use the shorter time period - state versus federal - if applicable, in order to comply with both state and federal law."
If a business associate is used for providing records, covered entities should conduct adequate due diligence to ensure that they have comprehensive policies and procedures, as well as an internal calendaring system to guarantee compliance with rules, including HIPAA, she says.