Industry Regulations, Governance, Risk and Compliance, Compliance Management

OCR settles with 5 providers for $330K over HIPAA right of access failures

The  U.S. Department of Health and Human Services building is shown Aug. 16, 2006, in Washington. (Photo by Mark Wilson/Getty Images)

The Department of Health and Human Services Office for Civil Rights reached settlements with five separate providers to resolve allegations that the entities failed to comply with The Health Insurance Portability and Accountability Act Privacy Rule’s right of access standard.

Oregon-based provider of residential eating disorder treatment services, Rainrock Treatment Center, dba Monte Nido Rainrock, will pay OCR $160,000. The settlement stems from three separate complaints filed with OCR in December 2019, January 2020, and February 2020 that stated the center failed to provide a patient with a copy of her medical records.

The patient made the requests on Oct. 1, 2019, and Nov. 21, 2019, but the OCR investigation found that Monte Nido did not send the patient her records until May 2020.

Advanced Spine & Pain Management in Ohio will pay a $32,150 civil monetary penalty, for failing to timely respond to a November 2019 written request from a patient for access to his protected health information. The OCR investigation found ASPM acknowledged it received the patient request, but did not provide the requested documents until three months later in March 2020.

Denver Retina Center will pay a $30,000 civil monetary penalty, after a June 2019 patient complaint alleged that the provider did not respond to a December 2018 request for medical records. The same patient informed OCR that she filed a similar complaint in March 2018. OCR closed the previous case after providing DRC with technical assistance.

DRC acknowledged the late response to the patient with OCR, but did not confirm the date of the patient’s request. DRC sent the records on July 26, 2019. OCR’s investigation into the provider found that DRC’s policies and procedures were not compliant with the right of access standard and that DRC did not provide the patient with timely access in a designated record set.

Wake Health Medical Group in North Carolina will pay OCR $10,000, after OCR received a December 2020 complaint that alleged Wake Health did not provide a patient with her requested medical records despite an in-person request made in June 2019 and paying a $25 fee.

During the investigation, Wake Health informed OCR the provider charges patients a flat fee for their records. To date, Wake Health Medical Group has failed to provide the complainant with a copy of her medical records.

OCR singled out Robert Glaser, M.D., a New York cardiovascular disease and internal medicine provider, as he did not cooperate with the investigation or respond to OCR’s requests after a patient filed a complaint involving a medical record request. Glaser waived his right to an OCR hearing and didn’t contest OCR’s finding. As such, Glaser will pay the agency $100,000.

“Based on the ... findings of fact, OCR has determined that Dr. Glaser is liable for the following violation of the HIPAA Rules and, therefore, is subject to a civil monetary penalty,” according to OCR. “Glaser failed to provide access to medical records in response to a lawful request for such records from its patient ... The appropriate penalty tier for this continuing violation ... is willful neglect.”

After failing to respond to multiple OCR requests and notifications, Glaser has no right to appeal the penalty.

25 settlements for right of access actions

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” OCR Director Lisa J. Pino said in a statement. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

The new settlements bring the total number of enforcement actions made under the OCR Right of Access Initiative to 25 since the effort was announced in 2019. Under HIPAA, covered entities and relevant business associates are required to provide patients with timely access to their records and in their desired format.

OCR has prioritized access rights for the last two years, as the agency works to increase interoperability and further data sharing across the sector to improve care coordination and overall patient care.

In addition to the penalties, all five providers also agreed to enter into a corrective action plan to improve their data sharing policies, which also includes one to two years of monitoring by OCR. The CAPs include a number of requirements tailored to each provider, but all include a requirement to update patient access policies and procedures.

The minimum content of those policies must include timely action, right of access, form and format, fees and how they’re calculated, and manner of access. Once updated, all workforce members tasked with patient access must be retrained to ensure compliance with the rule.

Notably, Monte Nido’s CAP outlines its minimum policy requirements to include the addition of an accurate definition for designated record set, standardized procedures for responding to requests, training protocols, and “application of appropriate sanctions against Monte Nido workforce members who fail to comply with policies and procedures.”

As previously reported, the HIPAA right of access standard is driven by the idea that care outcomes are improved when patients have access to their data in a secure, meaningful format. Despite being outlined in HIPAA, a 2020 report found the majority of providers fail to comply with the rule.

As former OCR Deputy Director of Health Information Privacy and Ciitizen Chief Regulatory Officer Deven McGraw explained, “There’s not a full acceptance of the power that providing data has given patients more agency and enhances their ability to be more involved in their own care. I don’t think there is a kind of universal acceptance of that concept” 

“Overall, there’s a sort of ignorance that the law does, in fact, give patients the right to have their records,” she continued. “patients have so little decision-making power and agency over [care]. The lack of access to data is really part of what undermines a patient in having the ability to choose their own pathways, to advocate for themselves, to figure out [their] treatment path.”

As OCR continues to strongly enforce the rule and as the interoperability push continues throughout the sector, compliance with the HIPAA access standard will remain paramount.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.