November 12, 2020
The last few months have shown that it’s not a matter of when the next Office for Civil Rights (OCR) HIPAA fine will drop, it’s how much the fine will be for. It’s sort of become a race at the Abyde office to share the news first when the OCR’s next press release hits our inboxes (seriously – this blog’s authors are winning in case you were concerned). Today’s entry into our fine-marathon is yet another patient right of access violation – bringing total access settlements to 11 and 2020’s fine count to $13,226,500.
The latest right of access violator is Dr. Rajendra Bhayani, a private practitioner specializing in otolaryngology (a specialty focused on the ears, nose, and throat, if you aren’t a medical specialties trivia whiz) out of New York. The settlement comes as a result of a patient complaint regarding a violation of the Privacy Rule’s right of access standard and left Dr. Bhayani with a $15,000 bill and a two-year corrective action plan to boot.
Back in September 2018, the OCR received a complaint that Dr. Bhayani failed to respond to a patient’s request for medical records made in July of that year. The OCR responded by providing the doctor with technical assistance on the issue, and it was case-closed (or so they thought). Half a year later, complaint number two came rolling in, noting that even in July of 2019 the patient still hadn’t received their requested records. Only after further OCR investigation were the records finally provided in September of 2020 – two whole years after the initial complaint.
The OCR is certainly taking this right of access fine-marathon seriously, sprinting to the end of 2020 with 9 right of access related fines since September. “Doctor’s offices, large and small, must provide patients their medical records in a timely fashion,” stated OCR Director, Roger Severino, “we will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.”
The best way to tell the OCR ‘message received’? Get your HIPAA program in order NOW, particularly all the pieces that go into patient right of access – HIPAA authorization forms, the right access policies and timeframes, staff training, and more. OCR Director Severino said it best – it doesn’t matter if your practice has 3 employees and sees only a handful of patients, dealing correctly with HIPAA requirements is essential to avoiding $$$ in fines and the scrutiny of the OCR.