February 12, 2021 Today the Office for Civil Rights (OCR) is celebrating their Sweet 16 – sixteenth HIPAA Right of Access fine, to be exact. Instead of party hats and birthday cake, they’re kicking off the festivities with a hefty settlement and second HIPAA fine this week. The not so lucky guest of honor is Sharp HealthCare, d.b.a. Sharp Rees-Stealy Medical Centers (“SRMC”), a health care provider based out of California. SRMC was gifted with a $70,000 fine along with a 2-year corrective action plan for violating HIPAA right of access requirements. The ‘party’ began back in June of 2019 after the OCR received a complaint stating that SRMC failed to respond when a patient requested an electronic copy of their protected health information (PHI) be sent to a third party (sound familiar?). The ‘party’ didn’t stop there, when even after providing technical assistance the OCR received a second complaint just two months later alleging that SRMC had still yet to provide the requested access. It wasn’t until after the OCR investigated further that SRMC finally fulfilled the patient’s request. Not only did today’s announcement take the cake (party pun intended) for the second fine released just this week, but the details of the most recent settlements are so similar we feel like we’re seeing double. Both fines were a result of patient right of access violations, and more specifically for the failure to provide an electronic copy of health records to a third party. So the lesson to be learned? Ensure your practice is providing access in a timely manner and in the way it was requested. Acting OCR Director, Robinsue Frohboese emphasized the government’s continued focus in today’s press release, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.” After a historic year in HIPAA enforcement, four HIPAA settlements in the first two months of 2021 should come as no shock. If crashing the HIPAA violation party isn’t something you’re keen on (we’re not the life of the party ourselves, but even we don’t think that would be too much fun) then having the right policies and procedures in place along with the proper employee training on how to respond to record requests is key.
OCR Announces the 10th HIPAA Right of Access Settlement
November 6, 2020 The Office for Civil Rights (OCR) wasn’t kidding when they emphasized HIPAA Right of Access enforcement last year – if you STILL don’t believe the many (so, so many) blog articles we’ve written on previous fines, maybe today’s 10th fine announcement will do the trick. Patient right of access has been a trending topic (waiting for the hashtag to trend any day now) over the past few months, and the latest settlement is just another reminder of what your practice needs to watch for. Today’s fine goes to Riverside Psychiatric Medical Group (RPMG), out of Riverside, California who agreed to a $25,000 payout and two-year corrective action plan to settle a violation of the Privacy Rule’s patient right of access standard. The latest settlement comes as a result of a patient complaint received just last year, in March of 2019. The complaint claimed that RPMG failed to provide access to requested medical records – even after multiple requests, OCR technical assistance after the first complaint, and a second complaint a month later. In this particular case, unlike other patient right of access fines levied thus far, RPMG claimed they didn’t provide access because the requested records included psychotherapy notes. Psychotherapy notes include documentation of private counseling sessions, separate from regular medical records, and are able to be withheld under HIPAA law because of the nature of the records. So was the practice actually in the wrong? While psychotherapy notes CAN be withheld, HIPAA still requires: Since RPMG failed to do either, they found themselves with $25,000 less in their pockets and two whole years of administrative paperwork to be completed. Even if your practice doesn’t deal with mental or behavioral health services, RPMG’s case includes some important lessons for all types of providers. When records can’t be provided (for legitimate reasons only people) a written explanation and a copy of the records can and should be provided to the patient. No one likes to be left hanging, said best by OCR Director, Roger Severino himself: “When patients request copies of their health records, they must be given a timely response, not a run-around.” Avoid being an enforcement victim by reviewing what your practice has in place now, and what is required when a patient requests their records. Make sure you have a designated method for patients to request records and fulfill their requests within the right time frame – within 30 days at the federal level, though it varies by state. And just in case you’re keeping score (just us?) this fine brings 2020’s running total to $13,211,500.