Right of Access

Dental Patient Right of Access
Audits, Fines, HIPAA

OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Comments Off on OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Boom! Pow! Bang! Three dental practices were sacked yesterday, resulting in nasty bruises and a loss of yards on the play. After heading into the locker room and studying some film, they recognized there were some lessons to be learned in the OCR’s HIPAA Right of Access playbook. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of three investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. The OCR’s HIPAA Right of Access Initiative started in 2019 to ensure patients receive their records in a timely and costly manner. With three actions in one day and a total of 20 just this year, we are seeing a 42% increase year over year in the enforcement of the Privacy Rule. The OCR’s effort has now raised the total to 41 Right of Access actions across the span of 3 years, setting a strong example for practices across the country on the importance of maintaining compliance. OCR Director, Melanie Fontes Rainer, states, “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.” Here is an instant replay of when three dental practices crossed the line of scrimmage:  The first dental practice had a delay of game penalty after failing to provide timely access to their former patient’s records. The former patient didn’t receive a complete copy of their records until October 2020, five months after they filed a complaint back in May 2020. This resulted in a $30,000 settlement and the implementation of a Corrective Action Plan. The second dental practice got a 15-yard penalty for not providing a patient with a copy of her records in a timely or costly manner. The practice refused to provide the records because the patient wouldn’t pay the $170 copying fee. That’s not a fair catch! After the OCR got involved, the dental practice had to cough up $80,000 in settlement and adopt a Corrective Action Plan. Maybe they should’ve read the HIPAA Rule book! The starting running back fumbled the ball when this practice failed to provide a mother and her son with copies of their PHI until after the play clock hit zero. After multiple requests and eight months of waiting, she finally got the medical records in her hands. The dental practice had to fork over $25,000 and implement a Corrective Action Plan. After watching the game footage, there is a clear solution here! Make sure your practice provides patients with timely and costly access to their medical records. Six dental practices have been sacked so far in 2022, which means we have already witnessed a 600% increase solely in the dental space compared to the 2021 season. That is not a statistic you can ignore! You could be next, so we encourage you to make sure you have the right compliance measures in place to avoid these large fines. Is your game plan ready?

OCR Announces Eleven HIPAA Right of Access Fines
Fines, HIPAA

OCR Announces Eleven More HIPAA Right of Access Settlements

July 18, 2022 Comments Off on OCR Announces Eleven More HIPAA Right of Access Settlements

July 18, 2022 Waking up every morning is an eye-opening experience. Do you know what else is an eye-opening experience? Waking up to see all of the enforcement investigations the OCR launched against practices like yours. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. Under the HIPAA Privacy Rule, the OCR launched this effort to assist individuals’ right to timely access to their health records at a reasonable cost. HIPAA provides individuals with the right to view and get copies of their health information from their healthcare providers and health plans. A HIPAA-regulated entity has 30 days after receiving a request to provide an individual or their representative with their records in a timely manner. OCR Director, Lisa J. Pino, states, “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”  Practices are no longer sneaking under the radar! The Office for Civil Rights (OCR) just concluded its thirty-eighth enforcement action since the HIPAA Right of Access Initiative began in 2019. Totaling over $646,000 across eleven penalties, the announcement of the verdicts includes eleven cases. Here is a brief breakdown of a couple of the cases just released by HHS:  The first dental action includes a $5,000 settlement for failure to comply with the Right of Access provision stating covered entities must permit individuals to inspect and obtain a copy of their PHI. An eye care practice made the mistake of not providing a copy of a patient’s medical records until three days after the OCR investigated. Now that is crazy! To settle a potential violation of the HIPAA Privacy Rule right of access standard, the practice agreed to take corrective actions and pay $22,500. Something as simple as not giving your patients access to their data quickly enough can result in a huge fine! One not-for-profit health system learned the hard way by not responding timely enough to a complainant’s access request. This cost the health system a whopping $240,000!  So, whether it’s responding to a request or delivering that request on time, you need to make sure your practice is on point to avoid these heavy penalties. As we can see the queen bee (Lisa Pino) isn’t joking around on pushing the OCR’s  HIPAA Right of Access Initiative across practices, we encourage you to ensure you have the right HIPAA compliance measures in place. So what’s the holdup? For less than a scratch-off ticket a day you can save your practice from those sneaky fines and become friends with Abyde today!

Dentistry HIPAA Fines
Fines, HIPAA

Dentistry HIPAA Fines

March 29, 2022 Comments Off on Dentistry HIPAA Fines

March 29, 2022 Dental practices are no longer flying under the radar! The Office for Civil Rights (OCR) just concluded its twenty-seventh enforcement action since the HIPAA Right of Access Initiative began in 2019. Totaling over $170,000 across four penalties, the announcement of the verdicts includes two cases as part of the HIPAA Privacy Rule. The additional actions related to the disclosure of patients’ protected health information (PHI). Here is a brief breakdown of the three dental cases just released by HHS:  The first dental action includes a $30,000 settlement against the initially cited $104,000 for failure to comply with the Right of Access provision stating covered entities must permit individuals to inspect and obtain a copy of their PHI. Nearly two-and-a-half years from the time of citation, the practice has completed a package of action plans, creating a costly and lengthy resolution process.  Something as simple as Google review responses can get you fined! One provider learned the hard way the dos and don’ts of reputation management. A patient filed a complaint with the OCR after the provider included the patient’s full name and PHI in their review response. This cost the practice a whopping $50,000!  Not the usual politician slip up, but a recent provider running for office learned not to mix business and pleasure. As part of his political campaign, the provider shared names and addresses of over 5,000 patients with both his campaign manager and third-party marketing partner to distribute letters and emails. Resulting in a final citation of $62,500, this surely put a roadblock on his campaign trail!  As we see the OCR cracking down on their HIPAA Right of Access Initiative across dental practices, we encourage you to ensure you have the right HIPAA compliance measures in place. With an hour of your time, we will get you everything you need. How much is an hour of your time worth – we bet it’s not $170,000!

5 HIPAA Right of Access Violations
Fines, HIPAA

OCR Settles 5 HIPAA Right of Access Violations

December 1, 2021 Comments Off on OCR Settles 5 HIPAA Right of Access Violations

December 1, 2021 In celebration of ‘Giving Tuesday’ this year, the Office for Civil Rights (OCR) came bearing gifts by the handful (literally) – announcing five separate HIPAA Right of Access violations all in one day. Now you might be thinking that this sounds like a historic first for same-day settlements, but just last September, the OCR made a similar five-violation announcement. The latest enforcement brings the Right of Access settlement total to 25 and dollars collected to $1,505,650 since the government announced their enforcement initiative back in 2019. And while the not-so-lucky receivers of the government’s “gifts” range by size, specialty, and location – failing to ensure individuals’ right to timely medical record access is one thing that all of these practices share. Wake Health Medical Group The first of five settlements went to a primary care provider out of North Carolina, who agreed to a $10,000 fine and corrective action plan to resolve their violation of the HIPAA Privacy Rules’ Right of Access standard.   Denver Retina Center Violation number two was given to a Denver-based ophthalmologist and included a $30,000 settlement and one-year corrective action plan as a result of their potential HIPAA Right of Access violations. Advanced Spine & Pain Management (ASPM) The third settlement was gifted to a provider of management and treatment of chronic pain services out of Ohio, whose Privacy Rule violations landed them with a $32,150 fine and corrective action plan consisting of two years of monitoring. Rainrock Treatment Center, LLC (dba Monte Nido Rainrock) Violation number four went to a licensed eating disorder treatment provider out of Oregon who agreed to pay $160,000 and participate in a year-long corrective action plan to settle their HIPAA violations.   Dr. Robert Glaser And last but certainly not least, the fifth settlement came as a result of not only failing to provide a patient with a copy of their medical records but also lacking cooperation with the OCR. The New York-based internal medicine and cardiovascular disease specialist ignored the OCR’s data requests and waived their rights to a hearing, leaving them with a civil money penalty of $100,000. In addition to the settlement announcement, the recently appointed OCR Director, Lisa J. Pino issued a statement in response: “Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”  While these gifts might not have come wrapped in a bow, they did bring along a trending theme that we encourage all providers to do some unpacking themselves. Noncompliance with the HIPAA Right of Access standard continues to prove itself as a widespread gap that the OCR is committed to enforcing. So even though we might have to wait until next November to celebrate another “Giving Tuesday” – getting your organization HIPAA compliant and meeting all government requirements – including Patient Right of Access – is the year-round gift that keeps on giving so you can avoid making the next OCR settlement list.

HIPAA Right of Access Initiative Fine
Fines, HIPAA

OCR Announces 20th HIPAA Right of Access Settlement

September 10, 2021 Comments Off on OCR Announces 20th HIPAA Right of Access Settlement

September 10, 2021 There might not be such thing as time travel but with the latest HIPAA settlement announcement, it’s looking like the Office for Civil Rights (OCR) has traveled back to their own version of the Roaring ‘20s. Two years, and now twenty resolutions later, the government initiative to support individuals’ right to timely record access has driven its own little economic boom – with the 20th financial penalty bringing the right of access running total to $1,173,500.  Children’s Hospital & Medical Center (CHMC) became the most recent healthcare organization to settle with the OCR, with a fine of $80,000 and requirement to adopt a corrective action plan that involves one year of government monitoring. But while the Nebraska-based pediatric provider probably isn’t too jazzed about the repercussions, the penalty comes as a result of an equally unhappy individual who was not provided the proper access that HIPAA strives to ensure. The issue was brought to the OCR’s attention back in May of 2020 after a parent filed a complaint alleging that CHMC failed to provide full access to her late daughter’s medical records. The complaint stated that while the organization fulfilled a portion of the request, CHMC failed to provide all of the requested records despite the parent’s several follow-up requests. The delay was in part due to the remainder of the requested records being needed to obtain from a different CHMC division but it wasn’t until after the OCR’s investigation that full access was provided. In addition to the resolution agreement, Acting OCR Director, Robinsue Frohboese released in a statement, “Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative. OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”  While this settlement shares plenty of similarities with the 19 other examples of noncompliance that we have seen since the enforcement initiative started, it’s important to note the fact that this $80,000 fine was the result of just one patient complaint. And though the Roaring ’20s might’ve been a relatively short-lived era, proposed updates to the HIPAA Privacy Rule and expansions to the OCR budget are enough to predict that the right of access enforcement initiative isn’t going anywhere, anytime soon. So with the latest settlement serving as the perfect example of just how much damage a single HIPAA complaint can have on a healthcare organization – ensuring you’re fulfilling all medical record requests in a timely and HIPAA-compliant manner is essential to avoid becoming lucky settlement number 21.

OCR Announces 19th Right of Access Settlement
Fines, HIPAA

OCR Announces 19th Right of Access Settlement

June 2, 2021 Comments Off on OCR Announces 19th Right of Access Settlement

June 2, 2021 With the official kickoff of summer only a few weeks away, the Office for Civil Rights (OCR) is getting some last minute spring cleaning in – announcing their latest HIPAA settlement with a practice whose Privacy Rule violations couldn’t be swept under the rug. Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) was handed a $5,000 fine and tasked with a two-year corrective action plan (CAP) to help clean up their “HIPAA mess” that started back in 2019.  Today’s fine marks the 19th Patient Right of Access settlement since the OCR officially announced their initiative two years ago. And ironically enough – around the same time that the government was declaring their focus on enforcing the standards around patient rights, DELC became a perfect example of just how many practices weren’t upholding them.  The incident began in July of 2019 when a parent requested access to her minor child’s health records. After DELC failed to take timely action in response to the request, a complaint was filed with the OCR in early August 2019. It wasn’t until the OCR got involved that the healthcare organization finally provided access, almost two whole years after the initial request.  Though the fine amount might seem on the lower end of what the OCR typically doles out, the corrective action plan has plenty of requirements to make up for it and just to name a few: This hefty “honey-do list” shows that the dollar amount doesn’t cover all the costs associated with violating HIPAA and proves why it’s so important to get your practice’s compliance efforts in order before an incident occurs. So while DELC took longer to fulfill the request than it would to dust off every book in the Library of Congress, the OCR hasn’t delayed in performing quite a bit of housekeeping themselves. With 19 settlements and $1,093,500 collected on behalf of patient right of access violations, the OCR has stuck to their initiative and continued to sweep up any and all violators. And though the settlements all range in resolution amount, corrective action requirements, and organization size and specialty – the message has always been the same and was reiterated by Acting OCR Director Robinsue Frohboese in that, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records. Covered entities owe it to their patients to provide timely access to medical records.”   

Right of Access Settlement Announced
Fines, HIPAA

HIPAA Enforcement is on a Hot Streak – 18th Right of Access Settlement Just Announced

March 26, 2021 Comments Off on HIPAA Enforcement is on a Hot Streak – 18th Right of Access Settlement Just Announced

March 26, 2021 Looks like the Office for Civil Rights (OCR) just decided to play a quick round of 18 – announcing their 18th right of access settlement (and second of the week) with yet another practice who’s HIPAA compliance efforts were well below par.  Village Plastic Surgery (“VPS”) was the latest to tee off against the OCR in a matchup that resulted in a $30,000 fine and two year corrective action plan. And with the 17th right of access settlement announced only two days ago – the tough loss endured by the New Jersey-based provider was just par for the course.  The round began back in September of 2019, after a patient filed an all too familiar complaint to the OCR that the practice had failed to respond to their record request that was made a month prior. Unlike previous settlements where the organization was first provided with technical assistance, all it took was a single patient complaint for the OCR to determine that VPS failed to meet right of access standards – setting the tone that there are no mulligans when it comes to a HIPAA violation.  It’s pretty clear that if you’re not meeting HIPAA requirements, becoming the next opponent on the OCR’s lineup is anyone’s game. But if two fines in one week don’t drive the point home, maybe the latest statement from OCR Director Robinsue Frohboese will be right on target: “OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner, covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.” So, with $5,540,000 collected in HIPAA fines just in 2021 alone and patient right of access being a clear government focus – ensuring that your practice’s compliance program is up to par is the best and only way to steer clear of the next round of OCR enforcement.  

OCR Right of Access Violation Settlement
Fines, HIPAA

OCR Continues to Take Non-Compliance By Storm – Announcing 17th Right Of Access Settlement

March 25, 2021 Comments Off on OCR Continues to Take Non-Compliance By Storm – Announcing 17th Right Of Access Settlement

March 25, 2021 We are definitely no meteorologists over here but if there’s one pattern that we’ve gotten pretty good at predicting, it’s the government’s focus on HIPAA non-compliance. And with another right of access settlement hitting our inboxes just yesterday – it’s looking like HIPAA enforcement season is in full effect.   Arbour, Inc., d.b.a Arbour Hospital (“Arbour”), was the latest to get caught in the Office for Civil Rights (OCR) storm – but instead of heavy rainfall and thunder, the Massachusetts-based behavioral health provider was hit with a whooping $65,000 fine and corrective action plan. The announcement marks the 17th right of access settlement since the OCR declared their enforcement initiative back in the fall of 2019, proving that whoever said that lightning never strikes the same place twice clearly didn’t know HIPAA.  Arbour first showed up on the OCR’s radar back in July of 2019, after they received a complaint alleging that the practice had failed to respond to a patient’s record request in a timely manner. Despite the OCR providing technical assistance, the practice took a rain check on providing record access and a second patient complaint came rolling in later that month. As a result of the OCR’s investigation, Arbour finally provided the patient with their records more than 5 months after the patient’s initial request – making the perfect storm for a HIPAA violation.  With 17 cases settled and $1,068,500 collected in fines since the right of access initiative began, it’s looking like when it rains, it pours as far as OCR enforcement is concerned. And if the numbers aren’t telling enough, Acting OCR Director Robinsue Frohboese made their storm-warning loud and clear in her latest statement: “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.” A key takeaway from the 17 practices’ caught in the government’s flood zone? In more than half of the published settlements, the organization was notified twice by the OCR and provided with technical assistance. And if they had listened to the first warning siren, they could’ve potentially avoided the settlement entirely. Since taking timely action in response to a patient’s records request has shown to be an ongoing issue for covered entities of all specialties and size – with the proposed HIPAA Privacy Rule changes shortening the record response time from 30 days to 15 days, we can foresee dark skies ahead if practices don’t start complying.  So, how do you avoid the hailstorm that comes with an OCR audit? Simply put, ensuring your practice adheres to state and federal Patient Right of Access laws while also having the necessary policies and procedures to back it up is a great place to start. But in order to fully weather the elements of government enforcement, you must meet ALL of the requirements that fall under the HIPAA umbrella and keep your compliance program a priority come rain or shine.

Sharp HealthCare HIPAA Fine
Fines, HIPAA

OCR Announces 16th Right of Access Settlement

February 12, 2021 Comments Off on OCR Announces 16th Right of Access Settlement

February 12, 2021 Today the Office for Civil Rights (OCR) is celebrating their Sweet 16 – sixteenth HIPAA Right of Access fine, to be exact. Instead of party hats and birthday cake, they’re kicking off the festivities with a hefty settlement and second HIPAA fine this week.   The not so lucky guest of honor is Sharp HealthCare, d.b.a. Sharp Rees-Stealy Medical Centers (“SRMC”), a health care provider based out of California. SRMC was gifted with a $70,000 fine along with a 2-year corrective action plan for violating HIPAA right of access requirements.    The ‘party’ began back in June of 2019 after the OCR received a complaint stating that SRMC failed to respond when a patient requested an electronic copy of their protected health information (PHI) be sent to a third party (sound familiar?).  The ‘party’ didn’t stop there, when even after providing technical assistance the OCR received a second complaint just two months later alleging that SRMC had still yet to provide the requested access. It wasn’t until after the OCR investigated further that SRMC finally fulfilled the patient’s request. Not only did today’s announcement take the cake (party pun intended) for the second fine released just this week, but the details of the most recent settlements are so similar we feel like we’re seeing double. Both fines were a result of patient right of access violations, and more specifically for the failure to provide an electronic copy of health records to a third party.  So the lesson to be learned? Ensure your practice is providing access in a timely manner and in the way it was requested. Acting OCR Director, Robinsue Frohboese emphasized the government’s continued focus in today’s press release, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.” After a historic year in HIPAA enforcement, four HIPAA settlements in the first two months of 2021 should come as no shock. If crashing the HIPAA violation party isn’t something you’re keen on (we’re not the life of the party ourselves, but even we don’t think that would be too much fun) then having the right policies and procedures in place along with the proper employee training on how to respond to record requests is key.  

OCR Settles 15th Right of Access Violation
Fines, HIPAA

OCR Settles 15th Right of Access Violation

February 10, 2021 Comments Off on OCR Settles 15th Right of Access Violation

February 10, 2021 The Office for Civil Rights (OCR) started 2021 off with some heavy hitters – including a $5.1 MILLION fine only 15 days into the year – but their fifteenth HIPAA right of access settlement (and counting – we’re taking bets on how many they get in before the end of the year) emphasizes they’re not just going after the big guys when it comes to keeping HIPAA programs in check.  Renown Health, P.C., a private, not-for-profit health provider out of Nevada, became the third HIPAA violator of the new year after failing to meet HIPAA right of access requirements back in 2019. The violation came with a hefty penalty of $75,000, along with a 2-year corrective action plan.  So what happened?  This time two years ago, the OCR received a complaint that Renown Health failed to fulfill a patient’s request for an electronic copy of their medical and billing records. In this particular instance, the patient had requested to have it sent to a third party – something that HIPAA not only allows for, but expects providers to fulfill.  Singing the same tune as last year’s many access-related fines, it wasn’t until after the OCR got involved and investigated further that Renown Health finally provided access to all of the requested records. Acting OCR Director, Robinsue Frohboese, weighed in on the latest settlement, “access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis.”  What this means for you With 15 right of access settlements under their belt, the OCR has made it clear that providing proper access in the way records are requested is key – not to mention the ticking clock (30 days, or less depending on the state) that goes with any record request.  With the proposed changes to the HIPAA Privacy Rule suggesting an even shorter time frame to respond to record requests, providing timely access should be on every practice’s radar. If it’s not, or even if it is, making sure to have documented policies around how records are provided and recording requests in a written format is key to preparing your practice should you wind up as part of the OCR’s right of access crusade. Not sure where your current HIPAA program stands, especially when it comes to patient’s access rights? Schedule a complimentary consultation with one of our HIPAA experts today to see what you might be missing before it’s too late!   

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X