OCR Announces Second $85,000 Settlement for Alleged Violations of the Individual Right of Access under HIPAA

Robinson+Cole Data Privacy + Security Insider
Contact

On December 12, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its second “HIPAA Right of Access Initiative” settlement of alleged HIPAA violations.

The HIPAA Right of Access Initiative is a new effort in 2019 by OCR to monitor compliance with HIPAA requirements addressing patient rights to promptly access medical records, in a readily producible format, without being subject to excessive fees. OCR announced its first settlement under the Right of Access Initiative in September 2019 (see our analysis of that settlement here), and this settlement indicates a continued focus by OCR on HIPAA compliance by providers when responding to patient requests for records.

In this case, OCR entered into an $85,000 settlement with Korunda Medical, LLC (Korunda), a Florida-based primary care and pain management provider, after conducting an investigation which indicated that Korunda failed to provide a patient with timely access to protected health information in accordance with the Privacy Rule. According to the resolution agreement, Korunda’s alleged failure to comply with HIPAA’s right of access for individuals came after OCR had received a prior complaint and provided “technical assistance” to Korunda regarding the individual right of access under HIPAA. In addition to the monetary payment, OCR and Korunda entered into a one-year corrective action plan, under which Korunda is obligated review and revise its policies concerning access to medical records, provide workforce training on individual access rights, and submit a list of medical record access requests received by Korunda from individuals every 90 days to OCR after approval of its updated access policies.

This settlement reiterates the importance for covered entities and business associates to review their policies and procedures governing production of medical records in response to patient requests, and the importance of responding to patients in a timely manner. This settlement is also a warning to entities that receive technical assistance from OCR that the government is unlikely to overlook subsequent allegations of non-compliance following such assistance. Finally, it is interesting to note that the monetary settlement here – $85,000 – for alleged violations of HIPAA’s right of access is the same amount extracted by OCR in its first Right of Access Initiative settlement (despite the defendant in that case being a larger entity), suggesting that OCR may view that amount as a “floor” for resolution of potential violations under the HIPAA Right of Access Initiative.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.