Patient Right of Access to Records Remains a Prime Focus
From small medical centers and behavioral health clinics to large health systems, violators of the HIPAA Privacy Rule have paid dearly in the first half of 2021.
As the enforcement arm of the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights investigates violations alleged by patients and employees. It imposes financial and other penalties upon the violators. The OCR also monitors remedial security and compliance activities of previous violators.
Penalties are No Slap on the Wrist
In the first half of 2021, six healthcare entities were penalized for violations of the HIPAA Privacy Rule, and specifically the Patient Right of Access requirements. Totaling $445,000, individual fines ranged from $5,000 to $200,000.
In 2020, ten other healthcare entities settled violations and paid penalties. With six settlements in six months, 2021 is on track to exceed 2020 in number of settlements.
In addition to paying financial penalties, violators are required to implement robust remedial action plans that are monitored by the OCR for up to three years.
Press Releases are issued by the OCR to publicly announce the settlement of each violation. All are posted on the HHS OCR website. The releases provide details as to when the request for medical records was made when the patient complaint was filed with the OCR, how long it took the healthcare entity to deliver the records, and the amount of the financial penalty for failing to deliver in a timely fashion.
For the convenience of healthcare providers who don’t keep up with this news, below are summaries of the six Right of Access settlements announced in the first half of 2021.
Patient Right to Timely Access
Since 2019, the Office for Civil Rights has conducted a relentless enforcement initiative to compel healthcare organizations to comply with the Patient Right of Access requirement of the HIPAA Privacy Rule.
This standard assures individuals’ rights to access their health records or receive copies of their health records “in a timely fashion at a reasonable cost.”
Covered entities are required to fulfill a records access request within 30 days of receipt, or within 60 days if an extension is needed. Any extension requires that the patient be notified.
This would seem an easy enough task. And it is certainly the right thing to do — in addition to being a HIPAA compliance mandate. However, and quite inexplicably, too many organizations fail to deliver the records.
In the first half of 2021, six of them reached settlements with the OCR for violations committed in 2019. Their penalties total $445,000. And the lessons taught in each case are clear and consistent.
Lessons From Six Violations
Treatment Center Treats Patient Request Poorly
The Diabetes, Endocrinology & Lipidology Center, Inc. is a West Virginia-based healthcare provider of treatments for Endocrine disorders. In July 2019, a parent requested a copy of her minor child’s protected health information from the Center.
A complaint was filed with the OCR in August 2019, alleging the Center failed to take timely action in response to her request. It is not clear who filed the complaint; it could have been the parent, or it could have been a Center employee. But it got the OCR’s attention. In its investigation, the OCR determined that the Center had indeed failed to provide timely access.
In May 2021, compelled by the investigation, the Center finally provided the requested records. The penalty for dragging their feet for almost two years was $5,000. They appear to have gotten off easy. Not so with the other violators.
Plastic Surgery Offices Fined $30,000
Village Plastic Surgery, located in New Jersey, provides cosmetic plastic surgery services. In August 2019, a patient requested access to their specific medical records. In September 2019, a complaint was filed with the OCR for failure to comply. The patient received their requested records as a result of the OCR’s investigation, which found the provider had not made the records available as required.
This violation cost Village Plastic Surgery $30,000 and a stern warning from Acting OCR Director Robinsue Frohboese, who said “Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”
Behavioral Health Services Behaves Badly
Arbour Hospital is located in Massachusetts and provides behavioral health services. Arbour was fined $65,000 for failing to comply with the Right of Access requirement. Here’s what happened:
In May 2019 an Arbour patient requested access to their medical records. In July 2019, a complaint was filed with the OCR alleging that Arbour still had not responded to the patient's request. OCR investigated the complaint and found the hospital had failed to comply in a timely manner. The patient finally received the records in November 2019, more than five months after their initial request.
Again, Arbour paid a $65,000 penalty for this violation—roughly $13,000 a month for the five-month delay. They probably would have preferred to keep that money in the bank.
Medical Centers Drag Their Feet on ePHI Request
Located in the San Diego area, Sharp HealthCare does business as Sharp Rees-Stealy Medical Centers, providing healthcare through various acute-care hospitals, specialty hospitals, affiliated medical groups, and a health plan.
In June 2019, a complaint filed with the OCR alleged that the Centers did not honor a patient’s request to have an electronic copy of their protected health information (ePHI) sent to a third party. Two months later, in August 2019, a second complaint was filed claiming the request still had not been fulfilled.
The records were finally released after the OCR investigation found the Centers to have failed to comply with the Right of Access requirement. The procrastination cost the Centers $70,000.
Renown Health in Double Trouble
Renown Health, P.C., a private nonprofit health system in Nevada, paid $75,000 to settle their violation with the OCR. Like most of the settlements in the first half of 2021, this violation dates back to 2019, when a patient filed a complaint alleging that Renown Health failed to send an electronic copy of her protected health information, including billing records, to a specified third party. Renown Health provided access to the requested records only after the OCR investigated the complaint.
The Acting Director of the OCR, Robinsue Frohboese, said of the incident, “Access to one’s health records is an essential HIPAA right. Healthcare providers have a legal obligation to their patients to provide access to their health information on a timely basis.”
In a completely separate incident, Renown Health experienced a data breach in April 2021 through one of its business associates, Elekta, a cloud storage provider. A forensic investigation of the data breach at Elekta concluded that protected health information had been accessed, including Renown Health patient data. Full name, social security number, address, date of birth, height, weight, medical diagnosis, medical treatment details, appointment confirmations, and other information was involved, according to the forensic report, which also noted that no financial account, credit card, or debit card information was not affected. However, since PHI was exposed, we expect the OCR will be investigating this incident.
Procrastination Costs Health System $33,000 Per Month
Banner Health is a nonprofit system based in Phoenix and is one of the largest healthcare systems in the U.S. Banner Health operates 30 hospitals and numerous primary care, urgent care, and specialty care facilities.
Two complaints were filed with the OCR against Banner Health. One patient requested her medical records in December 2017 and did not receive them until May 2018, six months later. A second patient requested access to an electronic copy of his records in September 2019 and did not receive it until February 2020, six months later.
The OCR found for the complainants, and Banner Health settled the violation for a total of $200,000. Viewed another way, the two violations cost Banner Health more than $33,000 per month for the six-month delay. That’s a lot of money to burn.
Avoid the Penalties | Embrace the Rules
All of these violations could have been avoided through simple compliance with the Patient Right of Access requirement of timely access. Whether 30 days, or an extended 60 days, patient requests for PHI and ePHI must be honored. Patients can and do complain about delays, and the OCR investigates those complaints.
As soon as a request for records is received, the healthcare entity should assign a resource to make the paper or electronic copies. The assigned resource should be monitored and held accountable for timely completion. It’s part of doing business, it’s a standard of care, and it’s the rules.
The HHS has published updated details to help guide healthcare providers, insurers, and business associates in complying with Patient Right of Access provisions. A quick review will give you all the instructions you need.
For these six organizations and violators before them, a privacy risk assessment could have prevented Patient Right of Access and other Privacy Rule violations. Now, they have been brought to the attention of the OCR. This is not the kind of attention you want and could lead the OCR to discover other HIPAA violations.
Smart healthcare providers, insurers, and business associates continue to conduct genuine, ongoing compliance efforts rather than invite the scrutiny of the OCR.
The Office for Civil Rights enforces HIPAA compliance by aggressively investigating violations claimed by patients and employees and imposing financial and other penalties upon violators.
The OCR continues to conduct a concerted program to enforce Patient Right of Access provisions of the HIPAA Privacy Rule. Healthcare entities who violate these requirements — especially those who blatantly disregard their patients’ rights to timely access — are very likely to be investigated and fined. And that may be just the beginning of their troubles.