On December 11, 2019, the Office for Civil Rights (“OCR”), within the U.S. Department of Health and Human Services , announced a settlement with a covered entity, Korunda Medical, LLC (“Korunda”), to resolve alleged violations of the Right of Access Initiative (“Initiative”) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (“Privacy Rule”). As part of the settlement, Korunda admitted no wrongdoing and agreed to pay HHS $85,000 and to enter into a Corrective Action Plan (“CAP”). Korunda is a health care company that offers comprehensive primary care and interventional pain management to approximately 2,000 patients annually, with six offices located in Florida. 

The Initiative, which was spearheaded by the OCR in 2019, seeks to enforce patients’ right to receive copies of their medical records promptly and cost-effectively. This settlement and the CAP represent the second enforcement action under the Initiative. The first action occurred in September 2019.

As to Korunda, a complaint was filed with OCR on March 6, 2019 alleging that Korunda was not in compliance with the Privacy Rule. The complaint alleged that Korunda failed to timely forward a patient’s medical records in electronic format to a third party, despite the patient’s repeated requests. The complaint also alleged that when Korunda provided the requested patient medical records, Korunda failed to provide the records in the requested electronic format and charged more than the reasonably cost-based fees allowed under HIPAA. OCR intervened and offered assistance to Korunda. Despite the assistance provided by OCR, the records were not transmitted by Korunda and a second complaint was filed with OCR. As a result of the second complaint, the requested records were provided free of charge in electronic format.

After conducting an investigation of Korunda’s compliance with HIPAA Rules, OCR concluded that Korunda failed to provide timely access to protected health information in compliance with HIPAA’s Privacy Rule. Under the CAP entered into by Korunda, it will be subject to one (1) year of monitoring and must accomplish each of the following:

• review and revise Korunda’s policies and procedures related to an individual’s access to protected health information (PHI), including methods for calculating costs to ensure compliance with the reasonable cost-based fees required under HIPAA;
• train all Korunda workforce members concerning an individual’s right of access to PHI;
• submit to HHS a list of the requests for access to PHI received by Korunda, including the date the request was received and completed, and the cost charged to the individual (excluding postage); and
• promptly investigate any allegation that a workforce member failed to comply with its access policies and procedures, and notify HHS in writing within thirty (30) calendar days if Korunda determines that a member of the workforce has failed to comply.

This OCR settlement is an important reminder that HIPAA-covered entities must comply with the Privacy Rule and OCR’s Right of Access Initiative. All covered entities should review their policies and procedures to ensure they are promptly providing required access to PHI, at a reasonably cost-based fee and in the format requested. Additionally, covered entities must ensure that their privacy policies regarding an individual’s right to access his/her PHI is consistent with the Privacy Rule and OCR’s Initiative. The Korunda settlement is an example of the consequences for failing to provide requested patient records in a timely manner.