OCR’s HIPAA Right of Access Initiative Going Strong After Announcement of 26th and 27th Enforcement Actions
On March 28, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of four Health Insurance Portability and Accountability Act (HIPAA) enforcement actions. Two of the actions relate to OCR’s HIPAA Right of Access Initiative, while the other two involve incidents where healthcare providers impermissibly disclosed their patients’ protected health information (PHI).
The two actions announced under the Right of Access Initiative bring the total number of enforcement actions to twenty-seven since the Initiative began in late 2019. The total settlement or penalty amount resulting from the Initiative now exceeds $1.6 million. According to OCR, the Right of Access Initiative is meant to ensure that patients receive copies of their medical records in a timely manner, in the form and format of their choice, and for a reasonable cost.
In one of these most recent Right of Access actions, OCR announced that Jacob & Associates, a psychiatric medical services provider in California, failed to provide a patient with access to the patient’s medical record over the course of five years. In that action, OCR’s investigation determined that despite the patient having mailed a medical records request to the healthcare provider every year from 2013 – 2018, the patient never received any response from the provider. In 2018, the patient resubmitted the request via facsimile, but did not receive a copy of the requested records until May 2019. In addition, OCR found that the provider required the patient to travel to the provider’s office to complete the provider’s specific request form and charged the patient a flat fee of $25 for the records.
As part of the resolution agreement, Jacob & Associates agreed to pay $28,000 and enter into a corrective action plan with OCR. Specifically, the provider is required to develop, maintain, and revise its policies and procedures to comply with the HIPAA Privacy Rule. Those policies include, but are not limited to, Designated Record Set Policy, Right of Access to PHI Policy, and training and sanction policies. Furthermore, OCR requires the provider to correct deficiencies identified in the provider’s Notice of Privacy Practices, as well to designate a specific privacy official responsible for implementing the privacy policies and procedures. Finally, the corrective action plan requires extensive reporting to OCR over the course of two years.
Healthcare providers must be aware of their responsibilities to provide their patients with timely, accessible, and affordable access to their medical records. According to OCR, it has numerous Right of Access investigations open across the country and continues to receive complaints from patients. OCR Director Lisa Pino confirmed recently that “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil monetary penalties for violations that are not addressed.”
For additional information or for questions about your entity’s own compliance with HIPAA, please contact Young Moore healthcare attorney, David Senter.