It was a little more than a year ago that we first wrote about how the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services had begun to vigorously enforce HIPAA Privacy Rule’s right of access. It requires providers to give patients access to their health records upon request and for a reasonable fee. However, despite the prospect of huge fines, many providers have been either slow to respond, fail to respond, or when they do respond, have charged excessive amounts of money for those records.
Since OCR began its enforcement, the number of providers cited for failing to comply has risen to 16. When last we wrote about this in October, OCR had cited just nine healthcare providers.
Three cases were settled in November. They were:
Riverside Psychiatric Medical Group, which specializes in psychology and substance abuse disorders, agreed to take corrective actions and pay $25,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. The first complaint was filed in March 2019, and a second was filed a month later, after the practice was notified of its obligation by OCR, yet failed to comply.
Riverside claimed that because the requested records included psychotherapy notes, they did not have to comply. While the HIPAA rules do not require production of psychotherapy notes, they do require covered entities (1) to provide requestors a written explanation when it denies any records request in whole or in part (which Riverside did not do), and (2) to provide the individual access to his or her medical records other than psychotherapy notes (and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding).
It wasn’t until October 2020, that Riverside complied with the request, minus the notes.
Dr. Rajendra Bhayani, a private practitioner specializing in otolaryngology in Regal Park, New York, agreed to take corrective actions and pay $15,000.
In September 2018, OCR received a complaint alleging that Dr. Bhayani failed to provide a patient with access to her medical records following her request in July. OCR notified the doctor of the requirements and closed the complaint. In July 2019, OCR received a second complaint stating he had still failed to comply. OCR determined that Dr. Bhayani’s failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. The patient finally received a complete copy of her medical records in September 2020.
Hospitals also are required to comply with the standard, as evidenced by the complaint filed against The University of Cincinnati Medical Center, LLC (UCMC), which agreed to take corrective actions and pay $65,000 to settle a potential violation.
In May 2019, OCR received a complaint alleging that the medical center failed to respond to a patient’s February 2019, records request asking that an electronic copy of her medical be sent to her lawyers. As a result of OCR’s investigation and intervention, the patient received all of the requested medical records in August 2019.
In December, OCR announced its thirteenth enforcement action. Peter Wrobel, M.D., P.C., doing business as Elite Primary Care in Georgia, agreed to take corrective actions and pay $36,000 to settle a potential violation. Elite provides primary care services in Georgia.
In April 2019, OCR received a complaint alleging that Elite failed to respond to a patient’s request for access to his medical records. Despite being notified by OCR that he was in violation of the rule, a second complaint was filed against Elite, after failing to comply. It wasn’t until May 2020, more than a year after the first request, that the patient received a copy of his medical records.
The first settlement of 2021 (number 14) involved Banner Health, a non-profit health system based in Phoenix, Arizona that operates 30 hospitals and numerous primary care, urgent care, and specialty care.
OCR received two complaints against Banner. The first alleged that the patient requested her medical records in December 2017 and did not receive them until May 2018. The second alleged that the patient requested access to an electronic copy of his records in September 2019, and the records were not sent until February 2020.
Banner agreed to take corrective actions and pay $200,000 to settle potential violations.
“This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records,” said OCR Director Roger Severino, in a news release.
Two additional cases were settled in February. The first involved Renown Health, P.C., a private, not-for-profit health system in Nevada, which agreed to take corrective actions and pay $75,000 to settle the case.
In February 2019, OCR received a complaint alleging that Renown Health failed to timely respond to a patient’s request that an electronic copy of her protected health information, including billing records, be sent to a third party. As a result of OCR’s investigation, Renown Health provided access to all of the requested records.
The most recent settlement involved Sharp HealthCare, doing business as Sharp Rees-Stealy Medical Centers, a California-based healthcare system with four acute-care hospitals, three specialty hospitals, three affiliated medical groups, and a health plan. It agreed to take corrective actions and pay $70,000 to settle the complaint.
In June 2019, a complaint was filed with OCR alleging that Sharp failed to take timely action in response to a patient’s records access request directing that an electronic copy of protected health information in an electronic health record be sent to a third party. After failing to comply, OCR received a second complaint. As a result of OCR’s investigation, Sharp provided access to the requested records.
As evidenced by the most recent cases, providers of all shapes and sizes are required to comply with HIPAA Privacy Rule’s right of access. OCR has made it abundantly clear it is serious about going after providers who fail to comply.
Providers should review their policies and practices to ensure that they respond to patient requests for access to medical records promptly and in compliance with HIPAA rules. Our attorneys are well qualified to assist you in this matter. Contact us for additional information at 305-358-4500 or send us an email to firstname.lastname@example.org and let’s discuss how we might be able to assist you.