Latest HHS HIPAA Actions Spotlight 'Right of Access' - Again

11 New Cases Showcase HHS' Ongoing Top Enforcement Priority
Latest HHS HIPAA Actions Spotlight 'Right of Access' - Again

Regulators are showing signs of growing impatient with medical providers that fail to comply with patients' requests for timely access to their health information.

No fewer than 11 of the last dozen HIPAA enforcement actions focused on a right of access dispute. The Department of Health and Human Services announced last Friday one civil monetary penalty and 10 settlements involving potential violations of the HIPAA privacy rule's right of access standard. The financial fines levied range from $3,500 up to $240,000, with a total haul by the government of $646,000.

"It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records," said OCR Director Lisa Pino in a statement.

This crop of settlements and civil monetary penalty cases bring to 38 the tally of HIPAA right of access enforcement actions taken by HHS' Office for Civil Rights since it launched its right of access initiative in April 2019.

Healthcare organizations should "understand that OCR is serious about upholding the law and peoples' fundamental right to timely access to their medical records," Pino said.

Top Priority

After dozens of earlier enforcement actions in the last three years against organizations involved in right of access disputes, why some entities are still struggling to comply with that HIPAA provision is a frustrating mystery to some experts.

"Not providing patients with copies of their medical records is something that has eluded me," says regulatory attorney Rachel Rose. That's especially the case, she adds, since many states have tighter deadlines than HIPAA's 30-calendar-day mandate for complying with an access request. Texas, for example, directs medical providers to furnish medical records within 15 business days.

Right of Access Disputes

In the latest batch of enforcement actions involving HIPAA's right of access provision, HHS OCR levied a $100,000 civil monetary penalty against Illinois-based ACPM Podiatry.

HHS OCR alleges that the foot doctor center failed to provide a former patient with his medical records despite multiple requests. It also failed to respond to HHS OCR during the agency's investigation into the patient's complaints.

Ten other covered entities agreed to pay financial settlements to HHS OCR and to implement corrective action plans to improve their compliance with the HIPAA privacy rule and its right of access provision. Those cases include:

Earlier Case

Regulatory attorney Paul Hales of the Hales Law Group says that of all the recent actions to enforce patient access, the most disturbing case involved a complaint filed against Memorial Hermann.

That's because in April 2017, the southeastern Texas nonprofit system settled a separate OCR investigation into an unauthorized protected health information disclosure incident involving just one patient.

At that time, Memorial Hermann agreed to pay a hefty $2.4 million financial settlement and implement a corrective action plan to improve its compliance with the HIPAA rules (see: Hefty Penalty for Improper Disclosure of One Patient's Info).

The lesson of the resolution agreement was apparently short-lived, given its $240,000 settlement just announced by HHS OCR, Hales says.

"Now Memorial Hermann is subject to another two-year plan requiring the same corrective actions - privacy rule policy revision, implementation and training. It’s déjà vu all over again," he says.

Memorial Hermann did not immediately respond to Information Security Media Group's request for comment on the recent HIPAA settlement.

In the bigger picture, the variety of organizations newly cited by OCR is telling, Hales says.

"They are large and small, nonprofit and for-profit, diverse geographically and in the nature of services provided. … Providers must develop and implement policies to protect the privacy of protected health information and train their workforce to implement them," he says.

Steps to Take

Rose says organizations can take steps to improve their compliance with the HIPAA right of access provision and ultimately avoid such complaint investigations by HHS OCR.

"Once a request from a patient is received, calendar it through an internal system," she says. "Use the shorter time period - state versus federal - if applicable, in order to comply with both state and federal law."

If a business associate is used for providing records, covered entities should conduct adequate due diligence to ensure that they have comprehensive policies and procedures, as well as an internal calendaring system to guarantee compliance with rules, including HIPAA, she says.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.