Compliance Management, Privacy

11 health providers settle HIPAA right of access failures with feds

The Department of Health and Human Services Office for Civil Rights settled 11 claims with providers that failed to give patients timely access to their medical records under HIPAA. (Photo by Mark Wilson/Getty Images)

The Department of Health and Human Services Office for Civil Rights announced settlements with 11 covered entities to resolve claims the providers’ failed to give patients timely access to their medical records, in violation of the Health Insurance Portability and Accountability Act.

The enforcement actions stem from OCR’s Right of Access Initiative launched in 2018, designed to strengthen patient access rights across the U.S. Providing individuals with their medical records bolsters care coordination and overall care quality.

The latest actions bring the total number of settlements under the initiative to 38.

The latest settlements include civil monetary penalties ranging from $3,500 to $240,000. The largest penalties were levied against Memorial Hermann Health System in Texas and ACPM Podiatry in Illinois. Memorial Hermann paid OCR $240,000 and ACPM paid $100,000.

Mid-sized penalties were levied against Southwest Surgical Associates in Texas ($55,000), MelroseWakefield Healthcare ($55,000), Hillcrest Nursing and Rehabilitation in Massachusetts ($55,000), Erie County Medical Center Corporation ($50,000), Nebraska’s Fallbrook Family Health Center ($30,000), and New York’s Associated Retina Specialists ($22,500).

The smallest fines were paid by Coastal Ear, Nose, and Throat in Florida ($20,000), Lawrence Bell Jr., D.D.S., in Baltimore ($5,000), and Danbury Psychiatric Consultants in Massachusetts ($3,500).

The range in penalties reflect the nature and extent of the violations, while highlighting the importance OCR places on HIPAA right of access. The standard mandates that patients have the right to see and/or obtain their records within 30 days, or longer if an extension is filed.

“It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records,” OCR Director Lisa J. Pino said in a statement. Entities should “understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”

The two largest levied penalties provide examples for covered entities and relevant business associates of their responsibilities under HIPAA.

$100,000 penalty for ACPM Podiatry

The ACPM Podiatry settlement highlights a number of key issues providers should avoid when ensuring compliance with HIPAA and when interacting with OCR over potential HIPAA violations. The OCR penalty levied against ACPM came after it failed to respond to or request a hearing “in accordance with the instruction in the Notice of Proposed Determination.”

As such, the provider has no right to appeal the $100,000 monetary penalty. 

The final enforcement action stems from an April 8, 2019, complaint filed with OCR by a former ACPM patient, who alleged “ACPM refused to provide him with his requested medical records.” OCR quickly provided written ACPM with technical assistance on right of access requirements, including that covered entities must respond to and provide PHI access within 30 days.

“The technical assistance letter informed ACPM that a covered entity may not withhold or deny an individual access to his PHI on the grounds that the individual has not paid the bill for healthcare services which the covered entity provided to the individual,” according to the findings.

The OCR then considered the matter closed and informed the patient that he could reach out again if the access issues persisted. One month later, the same patient issued a second complaint that claimed ACPM still hadn’t provided the requested records and failed to respond to oral requests made in September and October 2018, and a written request on November 2018.

However, the audit findings show ACPM failed to respond to both the patient and OCR investigators on multiple occasions.

The patient alleged that “he inquired about his request in December 2018, and that an ACPM employee informed him that ACPM was not trying to refuse his request, but had a lot of surgeries to complete before year end,” according to the findings.

Another request made in January 2019 was allegedly responded to by issues with non-payment. And ACPM allegedly told the patient that “if the insurance doesn’t pay, ACPM would not release the records.”

The second OCR complaint stated the patient inquired about the access request and an employee told him, “We still have your request and we have you[r] number.” But the medical records were needed to “appeal an unfavorable decision made by his health insurance company for the payment of a bill related to treatment provided by ACPM.”

OCR responded to these allegations by sending ACPM the complaint and a data request, including whether the specialist provided that patient with his medical records. The agency also requested a copy of its patient access policies, while reminding ACPM of HIPAA requirements.

In its request, ACPM was provided a number of options it could do in response to the allegations, including the submission of evidence that the alleged violation didn’t occur or the actions it took in response to the patient request.

However, ACPM did not respond to the data request or OCR by June 29, 2019. OCR followed up with the provider on two occasions via phone and again by letter on July 16, 2019, requesting a copy of the data request, its responses to OCR, and for ACPM to “contact the investigator assigned to the case to arrange for the production of the data requested.”

“ACPM failed to respond to OCR’s June 14, 2019, data request letter nor did ACPM contact the investigator assigned to this case,” according to the findings. The patient did not receive his records until July 28, 618 days after the Nov. 13, 2018, written access request. But the patient claims the records are incomplete.

In response to the actions and inactions, OCR sent ACPM a letter informing the specialist that ACPM failed to comply with the HIPAA right of access rule and the “matter has not been resolved by informal means despite OCR's attempts to do so.” As such, the preliminary indications showed ACPM was not in compliance.

Despite being reminded that they could submit written evidence to waive the CMP within a 30-day timeline, ACPM ignored the requests and failed to provide any evidence of mitigating factors or “affirmative defenses.”

The U.S. Attorney General provided OCR with authorization to issue ACPM with its civil monetary penalty. OCR determined ACPM is liable for violating HIPAA because it failed to provide timely access to medical records.

While the appropriate penalty tier for this violation is willful neglect and, uncorrected, is subjected to a maximum $3.57 million fine, OCR issued ACPM with a $100,000 penalty. OCR calculated the penalty based on the financial condition of ACPM and the nature and extent of the violations.

The history of prior compliance was also considered by OCR, which included a similar complaint filed against ACPM for similar reasons levied against the provider in the initial complaints.

Memorial Hermann Health System's $240,000 penalty detailed

An investigation was launched into Memorial Hermann after a patient filed a complaint with OCR on Aug. 31, 2020, alleging the health system failed to provide them with their medical records. The patient made five requests for access to their full billing and medical records between June 2019 to January 2020.

OCR found that Memorial Hermann indeed received the initial access request on July 10, 2019, and “subsequently failed to take timely and compliant action upon said requests.”

The request was not completed in full until March 26, 2021, supporting “the legal conclusion that the covered entity violated” the right of access standard by not completing the access request for a total of 564 days.

In addition to paying OCR $240,000, Memorial Hermann has agreed to enter into a corrective action plan that requires a revision of its internal policies and procedures for governing patients’ access to their protected health information, including a mechanism for reliably tracking the receipt of and processing for all written request for access to medical information and records.

The health system must also develop its HIPAA right of access policies and procedures and provide relevant workforce members with training to address the materials in compliance with the rule.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.