HIPAA and Compliance News

OCR Settles 5 HIPAA Right of Access Cases

OCR announced the resolution of five HIPAA Right of Access cases, bringing the total number of enforcement actions to 25 since the HIPAA Right of Access Initiative began.

OCR Settles 5 HIPAA Right of Access Cases

Source: Getty Images

By Jill McKeon

- The Office for Civil Rights (OCR) announced the resolution of five cases under the HIPAA Right of Access Initiative. OCR created the initiative in 2019 in order to support patients' right to timely and cost-effective access to their health records. These five actions bring the total number of enforcement actions to 25 since the initiative began.

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” Lisa J. Pino, OCR director, said in the announcement.

“OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

Each of the five settlements underscored OCR’s focus on enforcing the HIPAA Privacy Rule’s right of access standard, and each involved a civil monetary payment.

Advanced Spine & Pain Management

Ohio-based Advanced Spine & Pain Management (ASPM) agreed to pay a civil monetary penalty of $32,150 to settle a potential violation of the HIPAA right of access standard. ASPM also agreed to undergo two years of monitoring as part of a structured Corrective Action Plan (CAP).

READ MORE: Zero-Day Attacks Threaten Healthcare Cybersecurity

In a complaint filed with OCR, an individual alleged that ASPM failed to provide him with timely access to his protected health information (PHI). OCR’s investigation revealed that the individual had submitted a written records request to ASPM in person on November 25, 2019. However, ASPM did not send the individual a copy of his PHI until March 19, 2020.

Under the CAP, ASPM will be required to implement revised access policies and procedures to ensure timely and cost-effective PHI access.

Denver Retina Center

Ophthalmological services provider Denver Retina Center (DRC) agreed to pay OCR $30,000 to settle a potential HIPAA right of access violation. In addition, the center will undergo corrective actions, including one year of monitoring.

A Denver Retina Center patient filed a complaint with HHS on June 24, 2019, alleging that she requested her medical records from DRC in December 2018. The patient also said that she had previously filed a complaint with HHS on March 11, 2018, which was resolved after HHS provided technical assistance to DRC.

HHS notified DRC of its investigation on July 18, 2019. DRC then admitted that it was aware of the records request and that it was late in responding to the patient, but never confirmed the date of the request. DRC later provided evidence that it sent the medical records to the patient via FedEx on July 26, 2019.

READ MORE: Security, Privacy Risks of Artificial Intelligence in Healthcare

However, after a review of DRC’s access policies, HHS concluded that the provider did not have compliant access procedures as required under the HIPAA Privacy Rule.

Under its Corrective Action Plan, DRC agreed to develop revised policies and procedures that align with federal standards.

Dr. Robert Glaser

OCR stated that Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, New York, did not cooperate with OCR’s investigation or respond to OCR’s data requests. Glaser is now facing a $100,000 civil monetary penalty.

Glaser allegedly failed to respond to several written and verbal requests from a patient seeking his 2013 and 2014 medical records.

The patient filed a complaint in 2017, and the complaint was later closed after HHS sent a letter advising Glaser to provide the patient with his medical records.

READ MORE: Unprotected Database Exposes 170K Healthcare Staffing Records

The same patient opened a second complaint in 2018, alleging that Glaser had still not provided him the requested records after multiple written and verbal requests. Glaser failed to respond to multiple letters and phone calls from OCR regarding the investigation.

Glaser also failed to timely request a hearing and did not contest the findings of OCR’s Notice of Proposed Determination.

Rainrock Treatment Center

Rainrock Treatment Center, which does business under the name Monte Nido Rainrock, agreed to pay a $160,000 civil monetary penalty and take corrective actions. The residential eating disorder treatment services provider allegedly failed to provide a patient with a copy of her medical records after multiple requests in 2019.

The patient received the records on May 22, 2020, after the patient filed three separate complaints with HHS.

Monte Nido agreed to comply with a Corrective Action Plan requiring them to revise their right of access procedures and policies.

Wake Health Medical Group

Wake Health Medical Group agreed to pay OCR $10,000 to settle a potential violation of the HIPAA Privacy Rule. A patient filed a complaint with OCR after making a records request on June 27, 2019, and paying a $25 fee for the records. The patient has still not received a copy of her medical records at the date of publication.

Wake Health Medical Group agreed to undergo a Corrective Action Plan to revise its right of access policies.

Since these five cases are all settlements, no party admitted to any wrongdoing.