Twelve recent investigation settlements show that the Office for Civil Rights (OCR) is serious about HIPAA enforcement. Eleven of the settlements were for alleged violations of the patient Right of Access rule and one resulted from OCR’s investigation of a major hacking breach. The total amount of settlement payments collected for the twelve investigations is $1,521,000.
The breach investigation settlement announced on July 14, 2022:
- Oklahoma State University – Center for Health Sciences (OSU-CHS) paid $875,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and has agreed to implement a corrective action plan to settle potential violations of HIPAA Privacy, Security, and Breach Notification Rules. OSU-CHS is a public land-grant research university which provides preventive, rehabilitative, and diagnostic care in Oklahoma.
Right of Access Violations
OCR created the HIPAA Right of Access Initiative in 2019 to support patients’ right to timely and cost-effective access to their health records. OCR Director Lisa Pino last week stated:
“Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”
The eleven Right of Access investigation settlements announced on July 15, 2022 are:
- ACPM Podiatry, with offices in Peoria and Canton, Illinois, failed to provide a former patient with his requested medical records. In response to an initial complaint, OCR provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard and closed the matter. OCR received a second complaint from the same individual, alleging that ACPM still had not provided the medical records, after numerous requests. ACPM did not respond to multiple data requests from OCR, nor to OCR’s Letter of Opportunity and Notice of Proposed Determination. OCR issued a Notice of Final Determination and imposed a civil money penalty of $100,000.
- Associated Retina Specialists, of New York, failed to provide a patient with a copy of her medical records until three days after OCR initiated its investigation, and nearly five months after the complainant’s first written request. Associated Retina has agreed to take corrective actions and paid $22,500 to settle a potential violation of the HIPAA Privacy Rule right of access standard.
- Lawrence Bell, Jr., D.D.S., a dental practice located in Baltimore, MD, failed to provide timely access to a patient’s medical record. The dental practice has agreed to take corrective actions and has paid $5,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
- Coastal Ear, Nose, and Throat (ENT), located in Ormond Beach, Florida, failed to provide timely access to medical records after multiple requests for such records from a patient. Coastal ENT has agreed to take corrective actions and has paid $20,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard
- Danbury Psychiatric Consultants (DPC), located in Massachusetts, failed to respond timely to a complainant’s access request. DPC also withheld the complainant’s access on the basis that the complainant had an outstanding balance and required a signed request or authorization request. DPC has agreed to take corrective actions and has paid $3,500 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
- Erie County Medical Center Corporation, a public benefit corporation that operates a hospital, Erie County Medical Center (ECMC), located in Buffalo, New York, failed to timely provide an individual with a complete copy of his medical records. ECMC has agreed to take corrective actions and has paid $50,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
- Fallbrook Family Health Center, located in Nebraska, failed to provide timely access to medical records. Fallbrook Family Health Center has agreed to take corrective actions and has paid $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
- Hillcrest Nursing and Rehabilitation, located in Massachusetts, failed to provide an individual’s personal representative with timely access to her son’s medical records. Hillcrest has agreed to take corrective actions and has paid $55,000 to settle a violation of the HIPAA Privacy Rule’s right of access standard.
- MelroseWakefield Healthcare (MWH), a provider in Massachusetts, did not provide a personal representative with timely access to medical records on the mistaken basis that the durable power of attorney in this instance did not allow for the provision of such medical records. MWH has agreed to take corrective actions and has paid $55,000 to settle a violation of the HIPAA Privacy Rule’s right of access standard.
- Memorial Hermann Health System, a not-for-profit health system in Southeast Texas, consisting of 17 hospitals, including Memorial Hermann Katy Hospital, failed to respond timely to a complainant’s access request. Memorial Hermann has agreed to corrective actions and has paid $240,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
- Southwest Surgical Associates (SWSA) is a group practice with nine locations in the Greater Houston, TX area, failed to provide an individual timely access to their health information. SWSA has agreed to corrective actions and has paid $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
The variety of organizations cited by OCR is telling. They are large and small, nonprofit and for profit, diverse geographically and in the nature of services provided. This unfortunately confirms the findings of Phase 2 HIPAA audits published in December, 2020. The privacy of patient health information is at risk at health care providers of all sizes and types across the nation.
The corrective action plans required of each are also telling. Most of them go beyond the Right of Access rules and require the providers to have all Privacy Rule policies and procedures in place and make sure their staff is trained to follow them to protect the privacy of protected health information (PHI). It is not acceptable for providers to overlook these basic procedures until they have an OCR complaint induced investigation or suffer a data breach.
For a quick review of the key elements of the Right of Access rules see A Current Simple Guide to Right of Access or HIPAA Enforcement is Alive and Well – Patient Right of Access
Noncompliance Revealed in Breach Investigation
The OSU resolution agreement tells a familiar story of noncompliance. In its announcement, OCR stated:
“OCR’s investigation found potential violations of the HIPAA Rules including impermissible uses and disclosures of PHI; failure to conduct an accurate and thorough risk analysis; failure to perform an evaluation, failures to implement audit controls, security incident response and reporting, and failure to provide timely breach notification to affected individuals and HHS.”
OCR Senior Advisor Nicholas Heesters noted on a recent webcast that after a breach providers take all the steps required by HIPAA that they should have taken before the breach. In our view, the HIPAA Risk Analysis is the first priority because it leads to everything else required for full compliance, including evaluations, audit controls, response and reporting, breach notification procedures and workforce training, all noted in the OSU settlement.
Three Key Takeaways from OCR Enforcement
The eleven Right of Access settlements coming on the heels of the OSU settlement suggest OCR Director Lisa Pino is serious about enforcement. Increased enforcement should bring a sense of urgency to covered entity HIPAA compliance programs – prevention is much less expensive than an investigation and fines.
- Don’t take your HIPAA compliance program for granted – review your policies and procedures – are you up to date?
- Conduct a HIPAA Risk Analysis at least once a year, and follow through with Risk Management year-round.
- Train your workforce about the HIPAA Right of Access rules, and all aspects of HIPAA related to their specific job functions. Be sure to include cybersecurity awareness training.