HIPAA Privacy Rule Initiative Violations Mounting

HIPAA Privacy Rule Initiative Violations Mounting

Providers learn ignoring the Right of Access standard is a costly mistake.

The Office for Civil Rights (OCR) announced July 15 the resolution of 11 HIPAA Right of Access Initiative investigations. This makes 38 enforcement actions since the initiative began.

The Right of Access Initiative was implemented in 2019 to help patients obtain their medical records in a timely manner and at a reasonable cost in accordance with the HIPAA Privacy Rule. Providers regulated by HIPAA have 30 days to fulfill a medical records request and may charge only a nominal fee.

“It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino in a press release. “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”

Enforcement Actions Add Up

The latest enforcement actions OCR has taken to resolve potential Right of Access standard violations puts things into perspective.

  1. A podiatrist failed to provide a former patient with his requested medical records after multiple requests from both the patient and OCR, which resulted in a civil money penalty of $100,000.
  2. A retina specialist failed to provide a patient with a copy of her medical records until OCR initiated an investigation —five months after the complainant’s first written request. The provider agreed to take corrective actions and paid $22,500 to settle the potential violation.
  3. A dentist in Baltimore, Md., agreed to take corrective actions and paid $5,000 to settle a potential violation of the Right of Access standard.
  4. An ear, nose, and throat doctor in Florida agreed to corrective actions and a $20,000 fine to settle a potential violation of the Right of Access standard.
  5. A psychiatric consultant company refused to release a patient’s medial records because of an outstanding balance and required a signed request or authorization request. The company agreed to take corrective actions and has paid $3,500 to resolve the potential HIPAA violation.
  6. A corporation that operates a hospital in Buffalo, N.Y., failed to provide an individual with a complete copy of his medical records in a timely manner. The company agreed to take corrective actions and has paid $50,000 to settle the potential violation.
  7. A family health center in Nebraska agreed to take corrective actions and has paid $30,000 for failing to provide timely access to medical records.
  8. A nursing and rehabilitation facility in Massachusetts failed to provide an individual’s personal representative with timely access to her son’s medical records. The facility agreed to take corrective actions and has paid $55,000.
  9. A provider in Massachusetts did not provide a personal representative with timely access to medical records on the basis that the durable power of attorney did not allow it, which was incorrect, according to OCR. The company agreed to take corrective actions and has paid $55,000.
  10. A not-for-profit health system in Southeast Texas agreed to corrective actions and has paid $240,000 to settle a potential violation of the Right of Access standard.
  11. A group practice in the Houston, Texas, area agreed to corrective actions and has paid $65,000 for failing to provide an individual timely access to their health information.

Know the Rules

The Right of Access Initiative began in 2019, but the HIPAA Privacy Rule, codified in 2001, has always stipulated that patients have a right to request to view their medical records. There may be legitimate extenuating circumstances, however. “The provider may deny access of the content if the medical record could ‘harm the patient,’” according to Michel Warner, DO, CPC, CPMA, AAPC Fellow (Healthcare Business Monthly, Jan. 2018).

HIPAA-covered entities must know individuals’ right under HIPAA to access their health information to uphold the law and avoid costly penalties.

Renee Dustman
Follow me

About Has 773 Posts

Renee Dustman, BS, AAPC MACRA Proficient, is managing editor - content & editorial at AAPC. She holds a Bachelor of Science degree in Media Communications - Journalism. Renee has more than 30 years' experience in journalistic reporting, print production, graphic design, and content management. Follow her on Twitter @dustman_aapc.

Leave a Reply

Your email address will not be published.

Have you used AAPC's member discount savings program (e.g., travel, entertainment)? (On top menu: Resources/Other Resources/Savings Center)