NY Spine Settles with OCR for $100K Over HIPAA Right of Access Violation

Announced in 2019, the HIPAA Right of Access Initiative is an OCR enforcement priority designed to ensure patients are supported in receiving timely access to their medical records for a reasonable fee in compliance with the HIPAA rule, with limited exceptions. 

Patients are permitted to ask for medical records, health enrollment plan records, case management information, and other data related to their care, whether it’s maintained by a covered entity or a business associate on behalf of a covered entity, the Department of Health and Human Services previously noted. 

“The Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual,” HHS explained. 

Despite HIPAA, Ciitizen research shows more than half of providers are still failing to comply, although there has been significant improvement in the last year. 

In the case of NY Spine Medicine, a patient filed a complaint with OCR in July 2019 that alleged she was only provided some of her requested medical information despite multiple requests to obtain diagnostic films, including X-ray, MRI and CT scan images. 

OCR launched an investigation into the incident, after numerous attempts to contact the provider between December 26, 2019 and March 6, 2020. The investigation found that in failing to provide those records, NY Spine potentially violated the HIPAA Privacy Rule. 

As a direct result of the investigation, the patient finally obtained the requested information in October 2020, more than a year after the initial request. 

“No one should have to wait over a year to get copies of their medical records,” OCR Director Roger Severino, said in a statement. “HIPAA entitles patients to timely access to their records and we will continue our stepped-up enforcement of the right of access until covered entities get the message.” 

In addition to the civil monetary penalty, NY Spine agreed to a corrective action plan that will include two years of monitoring. The provider is required to develop, maintain, and revise, as necessary, written policies and procedures to comply with HIPAA. 

The procedures must include reviewing and updating the Right of Access to protected health information policies to ensure comprehensive responses to patient requests, protocols for training all workforce members involved with receiving or fulfilling access requests, and applying appropriate sanctions for workforce members who fail to adhere to Right of Access rules. 

The provider is also required to implement workforce training protocols for those involved in cooperating with compliance reviews and other OCR investigations and to apply appropriate sanctions for those who fail to comply. 

NY Spine must also designate a privacy official responsible for developing and implementing those policies and procedures, serving as a contact person for receiving complaints of potential violations, and providing further information about records’ access matters. 

The NY Spine settlement is the ninth enforcement penalty announced by OCR in the last month, after a serious lull during the initial stages of the COVID-19 crisis. 

In addition to the six Right of Access violations, HHS settled with three covered entities to resolve HIPAA violations discovered during OCR breach investigations: CHSPSC, a Community Health System business associate, for $2.3 million, Premera Blue Cross for $6.85 million, and Athens Orthopedic Clinic for $1.5 million.

• Tagged
• HHS
• HIPAA Compliance
• HIPAA Privacy Rule
• Office for Civil Rights
• Patient Privacy