HHS imposes $100K penalty on NJ facility over HIPAA right of access violations

April 02, 2024 - The HHS Office for Civil Rights (OCR) imposed a $100,000 civil monetary penalty against Hackensack Meridian Health, West Caldwell Care Center, also known as Essex Residential Care, over HIPAA right of access failures. Hackensack Meridian Health is a New Jersey-based skilled nursing facility that provides long-term care and rehabilitation services.

OCR’s investigation began in May 2020, when it received a complaint from a patient’s son alleging that Hackensack Meridian Health had failed to provide him with access to his mother’s medical records, even though he was his mother’s designated personal representative.

The patient’s son sent the records request via email and was denied because Hackensack Meridian requested a copy of a power of attorney or medical proxy document to establish that the son was in fact his mother’s personal representative.

Despite sending this information to Hackensack Meridian Health, the son still did not receive the records. Following OCR’s investigation, the personal representative received the records in November 2020.

Under the HIPAA Privacy Rule’s right of access provisions, covered entities are required to provide patients or their personal representatives with requested medical records within 30 days of receiving the request. In this case, the patient’s personal representative received the records 161 days after the initial request.

Hackensack Meridian Health waived its right to a hearing and declined to contest OCR’s findings.

“A patient’s timely access to health records is paramount for medical care. The Office for Civil Rights continues to receive complaints from individuals and personal representatives on behalf of individuals who do not receive timely access to their health records,” said OCR Director Melanie Fontes Rainer.

“OCR will continue to vigorously enforce this essential right to ensure compliance by health care facilities across the country.”

This marks the second HIPAA right of access case announced by OCR in recent days. OCR announced a settlement with Oklahoma-based Phoenix Healthcare, which agreed to pay $35,000 and implement corrective actions to resolve the case.

The settlement stemmed from an April 2019 complaint to OCR, which alleged that Phoenix Healthcare had not provided a daughter, who was serving as her mother’s personal representative, with a copy of her mother’s medical records.

With both of these cases, OCR stressed the importance of HIPAA’s right of access provisions and a patient’s right to access their medical records in a timely manner.

“Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions,” Fontes Rainer said.

“It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.”