In celebration of ‘Giving Tuesday’ this year, the Office for Civil Rights (OCR) came bearing gifts by the handful (literally) – announcing five separate HIPAA Right of Access violations all in one day. Now you might be thinking that this sounds like a historic first for same-day settlements, but just last September, the OCR made a similar five-violation announcement. The latest enforcement brings the Right of Access settlement total to 25 and dollars collected to $1,505,650 since the government announced their enforcement initiative back in 2019. And while the not-so-lucky receivers of the government’s “gifts” range by size, specialty, and location – failing to ensure individuals’ right to timely medical record access is one thing that all of these practices share.
Wake Health Medical Group
The first of five settlements went to a primary care provider out of North Carolina, who agreed to a $10,000 fine and corrective action plan to resolve their violation of the HIPAA Privacy Rules’ Right of Access standard.
Denver Retina Center
Violation number two was given to a Denver-based ophthalmologist and included a $30,000 settlement and one-year corrective action plan as a result of their potential HIPAA Right of Access violations.
Advanced Spine & Pain Management (ASPM)
The third settlement was gifted to a provider of management and treatment of chronic pain services out of Ohio, whose Privacy Rule violations landed them with a $32,150 fine and corrective action plan consisting of two years of monitoring.
Rainrock Treatment Center, LLC (dba Monte Nido Rainrock)
Violation number four went to a licensed eating disorder treatment provider out of Oregon who agreed to pay $160,000 and participate in a year-long corrective action plan to settle their HIPAA violations.
Dr. Rober Glaser
And last but certainly not least, the fifth settlement came as a result of not only failing to provide a patient with a copy of their medical records but also lacking cooperation with the OCR. The New York-based internal medicine and cardiovascular disease specialist ignored the OCR’s data requests and waived their rights to a hearing, leaving them with a civil money penalty of $100,000.
In addition to the settlement announcement, the recently appointed ICR Director, Lisa J. Pino issued a statement in response: “Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”
While these gifts might not have come wrapped in a bow, they did bring along a trending theme that we encourage all providers to do some unpacking themselves. Noncompliance with the HIPAA Right of Access standard continues to prove itself as a widespread gap that the OCR is committed to enforcing. So even though we might have to wait until next November to celebrate another “Giving Tuesday” – getting your organization HIPAA compliant and meeting all government requirements – including Patient Right of Access – is the year-round gift that keeps on giving so you can avoid making the next OCR settlement list.