The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently settled four more investigations under the HIPAA Right of Access Initiative, which totals 11 settlements thus far. In September, the OCR released a press release detailing its settlement of five additional actions under the HIPAA Right of Access Initiative. In the latest settlements, the OCR came down harder on providers that failed to provide timely access to a patient’s protected health information by imposing six-figure fines (in two instances) and two year Corrective Action Plans on all four occasions. In addition, the OCR Director delivered some stern remarks regarding the provider’s obligations with respect to the HIPAA Privacy Rule.
I. Dignity Health
On October 7th, the OCR announced the settlement of its eighth HIPAA Right of Access Initiative investigation involving Dignity Health d/b/a St. Joseph’s Hospital and Medical Center (“Dignity Health”), which is a large, acute care hospital with various clinics based in Phoenix, Arizona. The OCR received a complaint from a mother stating that she made multiple requests for her son’s medical records acting, as her son’s personal representative, to no avail. Dignity Health provided some documents, but failed to properly respond to the mother’s request.
The OCR determined that Dignity Health failed to provide the personal representative timely access to her son’s protected health information, which ultimately led to the OCR delivering a $160,000.00 “Resolution Amount” (as defined in the Corrective Action Plan) and mandating Dignity Health to enter into a two year Corrective Action Plan. For the record, this Resolution Amount was higher than all five of the previous settlement amounts announced by the OCR combined. The Corrective Action Plan orders the implementation of additional HIPAA policies and procedures, reporting requirements, training, and the submission of annual reports to HHS. You can find the entire OCR announcement regarding Dignity Health here.
II. NY Spine Medicine
Shortly following the OCR’s announcement regarding its settlement with Dignity Health, the OCR released yet another announcement regarding the settlement of its ninth investigation under the HIPAA Right of Access Initiative involving NY Spine Medicine, which is a private medical practice specializing in neurology and pain management with locations in New York, NY and Miami Beach, Florida. Last year, the OCR received a complaint from a woman stating that she made a request to NY Spine Medicine for her medical records, and again, the provider failed to the deliver the requested medical records after the woman made several inquiries.
The OCR determined that NY Spine Medicine failed to provide the patient access to her protected health information in a designated record set. In fact, as of the settlement date, NY Spine Medicine still had not provided the patient with her requested medical records. Similar to the Dignity Health settlement, the OCR handed down a $100,000 Resolution Amount to NY Spine Medicine along with a two year Corrective Action Plan, which included similar mandated provisions as the Dignity Health Corrective Action Plan. Most notably, the OCR Director, Roger Severino, provide some colorful commentary in the press release by stating: “No one should have to wait over a year to get copies of their medical records. HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message.” You can find the entire OCR announcement regarding NY Spine Medicine here.
III. Riverside Psychiatric Medical Group
The OCR announced its tenth enforcement action under the Right of Access Initiative involving Riverside Psychiatric Medical Group, which is a group practice focused in mental health and substance abuse located in Riverside, California. Last year, the OCR received two complaints from an individual stating that Riverside Psychiatric Medical Group failed to provide her requested medical records. After the initial complaint, the OCR even provided technical assistance to Riverside Psychiatric Medical Group. However, even after the OCR assistance, the patient still did not receive her medical records and filed a second complaint. As such, the OCR issued a $25,000 Resolution Amount and mandated a two (2) year Corrective Action Plan similar to the mandatory Corrective Action Plans in the Dignity Health and NY Spine settlements. You can find the entire OCR announcement regarding Riverside Psychiatric Medical Group here.
IV. Dr. Bhayani
Within the past few days, the OCR announced its eleventh enforcement action, which was also the first enforcement against a private practitioner. Dr. Rajendra Bhayani specializes in ear, nose and throat medical services with an office located in New York. Over two years ago, a patient sent a complaint to the OCR stating that she had failed to receive access to her medical records. Yet again, the OCR responded by providing Dr. Bhayani with technical assistance. In the summer of last year, the OCR received a second complaint from the same patient, which stated she still had not received her medical records despite the OCR’s efforts to assist the doctor. The OCR responded by issuing $15,000 Resolution Amount and implementing a two (2) year Corrective Action Plan, which includes a six (6) year document retention requirement. In other words, the OCR will have a close eye on the doctor until October 2026. You can find the entire OCR announcement regarding Dr. Bhayani here.
V. Moving Forward
The message is loud and clear, Director Severino. The OCR plans to continue its strict enforcement of the Privacy Rule under the HIPAA Right of Access Initiative. Based on the latest wave of settlements, it seems that all it takes is the denial or inadequate response to a single patient or personal representative’s request to access their medical records and the provider could be on the hook for a six-figure fine. In addition to the Resolution Amounts, the provider could incur additional expenses relating to the compliance with a Corrective Action Plan, whether it is hiring additional staff, drafting new policies, or revamping its entire recordkeeping processes. Moving forward, all providers should diligently respond to all requests for patient records and ensure its policies and procedures comply with the Privacy Rule.