Right of Access

HIPAA Right of Access Violations
Fines, HIPAA

OCR’s First Settlement of the Year: More HIPAA Right of Access Violations

January 12, 2021 Comments Off on OCR’s First Settlement of the Year: More HIPAA Right of Access Violations

January 12, 2021 The Office for Civil Rights (OCR) wasted no time starting on their new year’s resolutions, announcing their 14th settlement as part of the HIPAA right of Access initiative just 2 weeks into 2021. Patient right of access fines are starting to become a monthly occurrence, and it’s no surprise that the OCR would start off the new year with the same enforcement efforts they ended 2020 with. Banner Health, an Arizona-based non-profit health system operating 30 hospitals, primary care, urgent care, and specialty care facilities across the country, became the OCR’s first victim of the year with the largest right of access fine to date – $200,000.  This hefty payout comes as a result of two separate complaints filed against Banner Health, both highlighting the health systems noncompliance with the HIPAA right of access standard.  If today’s settlement isn’t enough reason to avoid dragging your feet on records requests and getting HIPAA compliant ASAP, maybe the latest statement from OCR Director Roger Severino will seal the deal: “This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records.”   The OCR has clearly hit the ground running with HIPAA enforcement in the new year and it’s more important than ever to get your practice compliant. OCR Director Roger Severino has been beating the same right of access drum for over a year, and it’s no surprise given that audit results released just this past December show that most covered entities (a whopping 89%) don’t meet patient access requirements. Concerned your practice falls in that boat? Schedule a consultation today with one of our HIPAA experts to see where you currently stand and what you need to do to avoid falling into the government’s crosshairs in 2021.       

Importance of Record Requests
Fines, HIPAA

OCR Announces 13th Right of Access Fine, Drives Home Importance of Record Requests

December 22, 2020 Comments Off on OCR Announces 13th Right of Access Fine, Drives Home Importance of Record Requests

December 22, 2020 The Office for Civil Rights (OCR) has been in the giving spirit the past few months, and they couldn’t close out 2020 without handing out at least one last holiday gift. We know there’s only 12 days of Christmas as the song goes – and we don’t think the OCR will be handing out lords-a-leaping or piper’s piping anytime soon – but there IS one more gift not mentioned in the classic song (at least the OCR 2020 edition): 13 patient right of access fines. The latest settlement adds to quite a historic year for HIPAA enforcement – and proves just how unprepared many practices have been when it comes to HIPAA compliance. This week’s extra gift went to Peter Wrobel, M.D whose practice Elite Primary Care out of Georgia found themselves doing a little extra holiday spending this year after settling with the OCR for $36,000.  The settlement resolved a patient right of access complaint from April 2019, which took over a year to fully wrap (present-related pun intended). Here’s the highlights from this latest fine: Important notes for any covered entity? Make sure to provide records in a timely manner, AND in the way the patient requests them. Additionally, requests can be submitted in any form (verbal, written or otherwise) but documented, written requests are always key to best protecting your practice and meeting timeframe requirements. Take a minute to brush up on how to handle access requests if your practice needs a refresher. Taking over a year to get records access is already a bad call, but proposed changes to the HIPAA Privacy Rule will make the typical 30 day timeframe to provide records even shorter. When it comes to patients getting access to their own PHI, the OCR is serious about keeping covered entities of all sizes in line.  While this may not have been the gift Elite Primary Care was wishing for this year, it did come with is some wise words of advice from OCR Director, Roger Severino: “OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records. Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee.”  We hope your practice gets a better gift this year than a hefty fine – but if you aren’t certain where you stand, get the gift of confidence in your HIPAA program by scheduling an educational webinar today!   

HIPAA Patient Right of Access Laws
HIPAA

What You Need to Know About HIPAA Patient Right of Access Laws

November 20, 2020 Comments Off on What You Need to Know About HIPAA Patient Right of Access Laws

November 20, 2020 Wanna know the secret to avoiding patient complaints? Well, until we figure out the trick to making everyone happy (which is next to impossible) we can at least fill you in on the next best thing – how to avoid one of the main causes of patient complaints – improper patient record access.  You might be thinking, how can providing patients access to something that’s already theirs be that hard? Yet more than half of practices still fail to comply with patient access laws, opening themselves up to complaints and ultimately HIPAA fines. In fact, the Office for Civil Rights (OCR) just recently announced the 12th settlement in their right of access enforcement initiative, further emphasizing the importance of providing proper access.  The Boring Stuff: What is the Right of Access law? The HIPAA Patient Right of Access law was created to provide patients with a level of ownership over their own medical records. This means that patients are able to:  What information can be provided to a patient? Does this mean that your practice has to go and round up every single one of Sally Smiths’ records when she asks for it? Not necessarily – when a patient asks for access to their records there is specific information that you are legally expected to provide which is referred to as the “designated record set” and includes:   RELATED: Your Patient Requested Access to their Medical Records, Now What?  Ok, so…what information shouldn’t be provided? Now before you go and slap a postage stamp (or hit send on that encrypted email) with the entire patient file, there is some information that can be left out of the designated record set. Any information that does not pertain to decisions made about the patient’s health directly does not have to be provided to patients such as: There’s a host of other requirements when providing patient records, and knowing what policies the Right of Access law includes is important to avoiding patient complaints about record requests. Unless you’re a professional people-pleaser, dealing with patient complaints is inevitable – but with HIPAA right of access enforcement continuing to ramp up, it’s an important topic to keep your practice up to speed on.

HIPAA Right of Access Fine Streak
Fines, HIPAA

OCR Continues HIPAA Right of Access Fine Streak, Announces 12th Settlement

November 19, 2020 Comments Off on OCR Continues HIPAA Right of Access Fine Streak, Announces 12th Settlement

November 19, 2020 Reporting new HIPAA settlements has become a weekly routine this month (we’ve got our calendars marked for next week’s already), and after today’s announcement on the Office for Civil Rights (OCR) 12th right of access initiative settlement (the third in November), we now have enough patient right of access fines to last us a whole year. This week’s HIPAA headline goes to the University of Cincinnati Medical Center, LLC (UCMC), an academic medical center that provides healthcare services to the Greater Cincinnati Community. UCMC agreed to a $65,000 payout as well as a 2-year corrective action plan with the OCR to settle a violation of (you guessed it) the HIPAA right of access standard.  The by-now familiar story began back in May of 2019, when the OCR received a complaint that UCMC failed to respond to a patient’s request that her electronic health records (EHR) be sent directly to her lawyers on February 22, 2019. After further investigation and a little push from the OCR, the medical center finally provided the requested records in August of that year.  While we’ve seen more than a handful (2 handfuls plus two fingers to be exact) of patient right of access fines over the past year, this specific settlement is a great example of not only failing to provide patient records in a timely manner, but also in the proper format they were requested in. It is required under HIPAA law to be able to provide patients with a copy of their records in the format they request – either in paper or electronic form – as well as have the ability to transmit records directly to a third party if specified. If it isn’t possible to provide records the way a patient requests, the covered entity must agree to an alternative method with the requester. Emphasizing the importance of providing records in the format requested, OCR Director Roger Severino added that the “OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records.”  Today’s settlement brings the running count of 2020 HIPAA fines to a total of $13,291,500 with 6 weeks still left in the year. If the weekly fine trend continues, we could expect at least 6 more HIPAA settlements and a whole lot of $$$ to come rolling in before 2020 finally ends. While we’re all looking forward to 2020 calling it quits, 6 more fines would blow 2019’s enforcement records out of the water.  With annual HIPAA deadlines right around the corner and weekly examples of why you should ensure your practice is compliant, we couldn’t think of a better time to add HIPAA to the top of your to-do list!

HIPAA Right of Access Fine Announcement
Fines, HIPAA

OCR Announces the 11th HIPAA Right of Access Settlement

November 12, 2020 Comments Off on OCR Announces the 11th HIPAA Right of Access Settlement

November 12, 2020 The last few months have shown that it’s not a matter of when the next Office for Civil Rights (OCR) HIPAA fine will drop, it’s how much the fine will be for. It’s sort of become a race at the Abyde office to share the news first when the OCR’s next press release hits our inboxes (seriously – this blog’s authors are winning in case you were concerned). Today’s entry into our fine-marathon is yet another patient right of access violation – bringing total access settlements to 11 and 2020’s fine count to $13,226,500.     The latest right of access violator is Dr. Rajendra Bhayani, a private practitioner specializing in otolaryngology (a specialty focused on the ears, nose, and throat, if you aren’t a medical specialties trivia whiz) out of New York. The settlement comes as a result of a patient complaint regarding a violation of the Privacy Rule’s right of access standard and left Dr. Bhayani with a $15,000 bill and a two-year corrective action plan to boot.  Back in September 2018, the OCR received a complaint that Dr. Bhayani failed to respond to a patient’s request for medical records made in July of that year. The OCR responded by providing the doctor with technical assistance on the issue, and it was case-closed (or so they thought). Half a year later, complaint number two came rolling in, noting that even in July of 2019 the patient still hadn’t received their requested records. Only after further OCR investigation were the records finally provided in September of 2020 – two whole years after the initial complaint.  The OCR is certainly taking this right of access fine-marathon seriously, sprinting to the end of 2020 with 9 right of access related fines since September. “Doctor’s offices, large and small, must provide patients their medical records in a timely fashion,” stated OCR Director, Roger Severino, “we will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.”  The best way to tell the OCR ‘message received’? Get your HIPAA program in order NOW, particularly all the pieces that go into patient right of access – HIPAA authorization forms, the right access policies and timeframes, staff training, and more. OCR Director Severino said it best – it doesn’t matter if your practice has 3 employees and sees only a handful of patients, dealing correctly with HIPAA requirements is essential to avoiding $$$ in fines and the scrutiny of the OCR.  

California Right of Access Settlement
Fines, HIPAA

OCR Announces the 10th HIPAA Right of Access Settlement

November 6, 2020 Comments Off on OCR Announces the 10th HIPAA Right of Access Settlement

November 6, 2020 The Office for Civil Rights (OCR) wasn’t kidding when they emphasized HIPAA Right of Access enforcement last year – if you STILL don’t believe the many (so, so many) blog articles we’ve written on previous fines, maybe today’s 10th fine announcement will do the trick. Patient right of access has been a trending topic (waiting for the hashtag to trend any day now) over the past few months, and the latest settlement is just another reminder of what your practice needs to watch for.     Today’s fine goes to Riverside Psychiatric Medical Group (RPMG), out of Riverside, California who agreed to a $25,000 payout and two-year corrective action plan to settle a violation of the Privacy Rule’s patient right of access standard.  The latest settlement comes as a result of a patient complaint received just last year, in March of 2019. The complaint claimed that RPMG failed to provide access to requested medical records – even after multiple requests, OCR technical assistance after the first complaint, and a second complaint a month later. In this particular case, unlike other patient right of access fines levied thus far, RPMG claimed they didn’t provide access because the requested records included psychotherapy notes.  Psychotherapy notes include documentation of private counseling sessions, separate from regular medical records, and are able to be withheld under HIPAA law because of the nature of the records. So was the practice actually in the wrong? While psychotherapy notes CAN be withheld, HIPAA still requires:  Since RPMG failed to do either, they found themselves with $25,000 less in their pockets and two whole years of administrative paperwork to be completed. Even if your practice doesn’t deal with mental or behavioral health services, RPMG’s case includes some important lessons for all types of providers.  When records can’t be provided (for legitimate reasons only people) a written explanation and a copy of the records can and should be provided to the patient. No one likes to be left hanging, said best by OCR Director, Roger Severino himself: “When patients request copies of their health records, they must be given a timely response, not a run-around.”  Avoid being an enforcement victim by reviewing what your practice has in place now, and what is required when a patient requests their records. Make sure you have a designated method for patients to request records and fulfill their requests within the right time frame – within 30 days at the federal level, though it varies by state. And just in case you’re keeping score (just us?) this fine brings 2020’s running total to $13,211,500.  

HIPAA Right of Access Investigation
Fines, HIPAA

OCR Settles Ninth HIPAA Right of Access Investigation

October 9, 2020 Comments Off on OCR Settles Ninth HIPAA Right of Access Investigation

October 9, 2020 The OCR has proven they keep their promises (unlike that former friend we all know), taking only two days to fulfill their recent pledge of continued right of access enforcement and announcing yet another HIPAA fine. For those of you counting, that’s 7 right of access fines in less than a month – so take the hint, and pay attention to what your practice should be doing when it comes to patient right of access. This time, the fine goes to NY Spine Medicine (NY Spine), a New York based neurology and pain management medical practice, who was hit with a $100,000 fine and two year corrective action plan for failing to provide records to a patient in 2019. After making multiple requests beginning in June 2019, NY Spine failed to provide diagnostic film records to a patient, only providing the records in October 2020 after OCR investigation. Important to note about this case is that NY Spine did provide some records to the patient, but not the ones she had actually requested – making this still a right of access violation.  As OCR Director Roger Severino put it, “no one should have to wait over a year to get copies of their medical records. HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message.”  If you’re a covered entity of any kind, now would be the right time to say ’message received’. If the OCR’s words aren’t enough, take a look at the stats: If you need a refresher, read up on the five right of access fines announced in September or this Wednesday’s $160,000 right of access fine.  What should your practice be doing right now? First, don’t panic. Second, if you think you might not be up to snuff on patient right of access, we have the inside scoop on how to get compliant and update your policies and know-how (wink wink). Just sign up for an educational webinar to learn what steps you can take right away to prevent being the next enforcement victim. 

HIPAA Settlement Patient Right of Access
Fines, HIPAA

OCR Levies 8th Patient Right of Access Fine, $160,000 Settlement Reached with St. Joseph’s Hospital and Medical Center

October 7, 2020 Comments Off on OCR Levies 8th Patient Right of Access Fine, $160,000 Settlement Reached with St. Joseph’s Hospital and Medical Center

October 7, 2020 The Office for Civil Rights (OCR) has officially kept their foot on the gas heading into October, announcing their 8th HIPAA right of access fine and adding to a string of nine total HIPAA fines announced since September 15th. Five of those recent fines also centered on providing patients appropriate access to their records, an initiative the OCR pledged to enforce in 2019. The latest practice left in the OCR’s dust is St. Joseph’s Hospital and Medical Center (SJHMC), an acute care hospital with several hospital-based clinics providing a variety of health services out of Phoenix, Arizona. SJHMC was slapped with a $160,000 fine, along with a 2-year corrective action plan to settle their potential HIPAA violation.  Continuing the patient right of access violation trend, SJHMC failed to provide patient records requested by a patient’s personal representative within any sort of a reasonable timeframe, and certainly not within HIPAA-mandated and state-specific deadlines. OCR involvement began in April 2018, when a complaint was received from an SJHMC patient’s mother stating that since January of 2018 she made various requests for a copy of her son’s medical records that SJHMC had failed to fulfill. While the hospital provided partial records, they failed to produce the full records requested despite follow-ups made by the mother in March, April, and May of 2018. The records were only provided a long 22 months later, in December 2019, after the OCR got involved to investigate the complaint. The deadline to provide patient records after a request in Arizona is 30 days.   If you haven’t realized the enforcement trend yet, the OCR made it pretty clear in their statement announcing the fine. “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously,” OCR Director Roger Severino stated, “OCR has many rights of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.”  Not only did OCR Director Roger Severino call out practices who aren’t actively focusing on their HIPAA compliance program, he emphasized that there is more to come related to patient right of access. This fine, along with the many others announced in recent weeks, emphasizes just how important a HIPAA compliance program is and having the right policies in place to fulfill all aspects of HIPAA compliance – including meeting patient’s access requests.    

Requesting Access to Medical Records and HIPAA
Best Practices, HIPAA

Your Patient Requested Access to their Medical Records, Now What?

September 18, 2020 Comments Off on Your Patient Requested Access to their Medical Records, Now What?

September 18, 2020 When it comes to medical records requests, you just hand over patient files – right? Wrong! The HIPAA Privacy Rule unequivocally provides individuals with the right to see and receive copies of their medical records upon request – but has some requirements when it comes to the who, what, and how of handing those records off. Appropriate patient access can be a fine line, and if you stray too far to either side you may end up in the next historic Office for Civil Rights (OCR) announcement of multiple access-related fines. Here’s the 411 on patient record access: Access is just for the patient, right? We hope it’s obvious that patients should be able to access their own records (who doesn’t want a hard copy of their dry eye disease diagnosis), but it’s not just patients that have the right to request records. In fact, the OCR levied two fines just this week for not providing access to an authorized personal representative of a patient. A ‘personal representative’ is someone with the authority under state law to make health care decisions for another individual. This may be the case if: How must access be requested? Making things easy (cough cough), HIPAA law does not specify any required method of requesting access. Patients may ask verbally, in writing, or by secure email or patient portal – really, whatever method suits the patient. Your practice CAN specify the way you want patients to request access, they just have to be informed first about this requirement (possibly as part of your onboarding forms). We do recommend making access requests written, just to document the date of the request. Do I need to verify the requester is authorized? Once you have a patient or their personal representative requesting access, you can just hand over the records, right? Not so fast. The HIPAA Privacy Rule requires practices to take reasonable steps to verify the individual making a request for access is who they say they are. While there’s no specific form of verification required, such as a copy of their driver’s license, it’s extremely important for your practice to use professional judgment when determining that a request is ‘legit’. Verification must also be done without adding unnecessary delays in fulfilling the request. What form must records be provided in? We’re long past the days of keeping everything on paper, and most practice’s manage their health records electronically. However, the Privacy Rule requires a practice to provide access to protected health information (PHI) in the format that it was requested in – either a paper or electronic copy. If the records are not readily producible in the requested format, you’ll need to agree on an alternative format instead. How quickly do records need to be provided? The phrase “ASAP” is nice and all until it comes to meeting specific HIPAA deadlines. When a request is made, the practice must provide access as soon as possible and at minimum within 30 calendar days (the federal law) or less depending on your specific state laws. If unable to provide access within 30 days, the practice can inform the individual of the reasons for the delay and can have no more than one 30 day extension period.  Timeliness is key when it comes to patient access. One practice in particular didn’t provide patient records until 9 months after the initial request was made. The patient filed a complaint to the OCR that resulted in an $85,000 fine along with a corrective action plan. If you thought 9 months was bad, just this week the OCR announced another fine for failing to provide medical records for almost 3 years.    Can I charge patients for copies of their records? Depending on the format requested or the time needed to collect records, there might be some costs involved. Thankfully HIPAA accounts for this, and lets your practice impose a reasonable, cost-based fee for requests. This fee can include:  There’s a lot more that goes into requesting records than simply handing them over. If you’re confused about all this – and we get it, we were too – having a HIPAA expert on deck to help sort out specific scenarios quickly can help your practice stay on top of requirements without unintentionally violating HIPAA. Don’t have an expert to help? Work with an outside HIPAA compliance provider (just picture us saying “pick me!”) who can help you manage the intricacies of access laws before winding up on the next OCR HIPAA settlement announcement.

1st HIPAA Right of Access Fine
Fines, HIPAA

OCR Settles First Case in HIPAA Right of Access Initiative

September 9, 2019 Comments Off on OCR Settles First Case in HIPAA Right of Access Initiative

September 9, 2019 Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services is announcing its first enforcement action and settlement in its Right of Access Initiative.  Earlier this year, OCR announced this initiative promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. Bayfront Health St. Petersburg (Bayfront) has paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (HIPAA) Rules after Bayfront failed to provide a mother timely access to records about her unborn child.  Bayfront, based in St. Petersburg, Florida, is a Level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians. OCR initiated its investigation based on a complaint from the mother.  As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request. The HIPAA Rules generally require covered health care providers to provide medical records within 30 days of the request and providers can only charge a reasonable cost-based fee.  This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino.  “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” In addition to the monetary settlement, Bayfront will undertake a corrective action plan that includes one year of monitoring by OCR. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bayfront/index.html

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X