CG attorneys have discussed the U.S. Department of Health and Human Services’(HHS) Office of Civil Rights (OCR) focus on patient access to records in its “HIPAA Right of Access Initiative.” Under this initiative, OCR settled numerous actions involving medical practices that potentially violated the HIPAA Privacy Rule’s right of access requirements (45 C.F.R. § 164.524), including at least four such actions since November 2020.
In November, CG attorneys alerted readers to OCR’s tenth settlement under its HIPAA Right of Access Initiative. The settlement involved a medical practice that received two complaints regarding failure to provide a patient with their requested records. Although the practice asserted that it did not have to comply with the request under the psychotherapy note exception, OCR explained that medical records that do not contain psychotherapy notes should be provided to the patient. The medical practice settled for $25,000. Six days after OCR’s tenth settlement announcement, OCR announced its eleventh settlement regarding alleged violations of HIPAA Privacy Rule’s right of access requirements. The medical practice settled for $15,000 and agreed to take corrective actions. Also, in November, OCR announced that the University of Cincinnati Medical Center, LLC agreed to take corrective actions and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access requirements. The University of Cincinnati Medical Center’s settlement was OCR’s twelfth settlement under its HIPAA Right of Access Initiative.
On December 22, 2020, OCR announced its thirteenth settlement under its initiative. According to the press release, OCR received a complaint alleging that Elite Primary Care did not respond to a patient’s request for access to his medical records. Like previous settlements, OCR provided the practice technical assistance regarding the HIPAA Privacy Rule’s right of access requirements and closed the complaint. OCR received a second complaint five months later, which alleged that Elite Primary Care had yet to provide the patient access to his medical records. OCR initiated an investigation and determined that Elite Primary Care’s failure to provide medical records may have violated HIPAA Privacy Rule’s right of access requirements, according to the press release. Elite Primary Care agreed to a two-year corrective action plan (CAP) and to pay $36,000 to settle the potential violations. Under the CAP, Elite Primary Care must develop and revise written HIPAA policies and procedures, provide training to all employees, provide a written report regarding its status of implementing the CAP, and implement record retention requirements.
These settlements are clear indications of OCR’s continued prioritization of enforcing the HIPAA Privacy Rule’s right of access requirements. In November, Director Roger Severino commented on OCR’s HIPAA Right of Access Initiative: “We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.” Providers should heed OCR’s warnings and ensure proper training on and compliance with HIPAA Privacy Rule’s right of access mandate, which provides parameters for the provision of access, denial of access, and record-keeping requirements for medical record requests.
The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with HIPAA related matters, including breach response, breach notification, OCR investigations, and resulting civil litigation. If you need assistance with such a matter, please contact us today.