The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently settled two additional enforcement actions as part of its HIPAA Right of Access Initiative, which is a program implemented by HHS in early 2019 to support individuals’ right to timely access of their health records at a reasonable cost under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires covered entities and relevant business associates to provide patients with timely access to their protected health information, with few exceptions. Providers must send requested records within thirty days, or within sixty days if an extension is applicable. The latest round of settlements brings the total to eighteen settlements of enforcement actions. The penalties assessed by HHS under the eighteen settlements range from $3,500 to $200,000, ongoing monitoring by HHS, and adoption of a corrective action plan.
- Settlement #17: Arbour Hospital: On March 24, 2021, HHS announced that it reached a settlement with Arbour Hospital (Arbour), a behavioral health services company located in Massachusetts. In response to the right of access allegations, Arbour agreed to pay OCR a monetary penalty of $65,000, undertake a corrective action plan, and undergo one year of monitoring. For Arbour, the enforcement action stems from a patient complaint filed with OCR in July 2019. The patient alleged that he requested records from the hospital beginning on May 7, 2019, and had yet to receive them at the time of the complaint, nearly two months later. In response, OCR offered technical assistance to Arbour. Despite the offered assistance, later in July, OCR received a second complaint that Arbour still had not provided the requested information to the patient. Then, in November 2019, more than five months after the initial request, Arbour provided the patient with the requested records.
- Settlement #18: Village Plastic Surgery: On March 26, 2021, HHS announced that it reached a settlement with Village Plastic Surgery (VPS), a cosmetic plastic surgery practice in New Jersey. Under the settlement, VPS agreed to pay OCR a monetary penalty of $30,000, undertake a corrective action plan, and undergo two years of monitoring. For VPA, the enforcement action stems from a patient complaint filed with OCR in September 2019. In the complaint, a patient alleged that VPS failed to take timely action in response to a records access request made in August 2019. OCR initiated an investigation and determined that VPS’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard.
According to HHS, fine amounts are determined by a range of factors, including the nature of the alleged violation, the harm caused by the HIPAA violation, the facility’s size, and the facility’s compliance history. Further, if corrective action plans are not followed, HHS may impose additional civil money penalties on the facility. Covered entities should take note that most of the OCR enforcement actions with heavy fines stem from complaints by individuals. These hefty settlement amounts show how seriously OCR is taking this initiative. In many instances, the enforcement actions followed OCR’s attempts to offer warnings and technical support to the providers. At the end of the day, covered entities need to understand the risk involved when receiving these record requests. Therefore, providers should take action and implement effective compliance plans regarding this issue.
For additional guidance, please click here to view AGG’s article covering HIPAA Right of Access compliance tips.