Ok, usually to be in the top 10 or top 25 of something is a good thing. That is all relative to the list. The top 10 most wanted is not a great list to be in the top. The top ten rated hospitals, that is a great list. Here, we have the top 18 providers/facilities who have entered into settlement agreements with the Office of Civil Rights (OCR) for allegedly failing to comply with the right to access requirement. Collectively they have paid over $1,147,500 in penalties.
Of the top 18, ten entities failed to comply with the OCR’s first investigation and resulted in a second investigation. It should never take the federal government to step in for a patient or patient representative to get access to medical records. Failure to comply with the law potentially impacts patient’s care and incurs avoidable costs to healthcare providers.
Rounding out the Top 18 Entities and/or Providers who have received enforcement action to date are:
- Peter Wrobel, M.D., P.C., dba Elite Primary Care – $36,000 to settle violation and agree to a two-years of monitoring.
The allegations state Elite failed to respond to the patient’s request for access of records. A month after the complaint, the OCR provided technical assistants to Elite regarding the right of access requirement. OCR closed the matter. Five months later, the OCR received a second complaint alleging the records were still not provided. The OCR stepped in again and eventually the records were provided.
- The University of Cincinnati Medical Center, LLC (UCMC) – $65,000 to settle the violation and agreed to a two-years of monitoring.
In may 2019, the OCR received a complaint alleging UCMC did not provide request records via electronic format to the patient’s lawyer. The OCR investigated and determined UCMC failed to provide the records timely and in the requested format.
- Banner Health, on behalf of the Banner Health affiliated covered entities (Banner Health ACE) – $200,000 to settle the violation and agreed to a two-year of monitoring.
The patient requested access to medical records in December 2017 and did not receive the records until May 2018. There was a second complaint alleging an electronic copy of records was requested in September 2019, the records were not sent until February 2020.
- Sharp HealthCare, dba Sharp Rees-Stealy Medical Centers (SRMC) – $70,000 to settle the violation and agreed to a two-year of monitoring.
This is the most recent enforcement for failure to provide medical records in a timely manor. A complaint was filed June 2019 alleging failure to timely provided requested records in an electronic format to a third party. The OCR provided SRMC with technical assistance. In August 2019, a second complaint was filed claiming failure to receive medical records in an electronic format were not sent to a third party. As a result of the second OCR investigation, the records were subsequently provided.
- Housing Works, Inc – $38,000 to settle the violation and agreed to a corrective action.
In July 2019 a complaint was filed with the OCR alleging failure to provided requested medical records. The OCR provided technical assistance to Housing Works on the HIPAA Right of Access requirements and closed the complaint. A second complaint was received August 2019 alleging Housing Work still had not provided the requested records. The OCR investigated and the patient ultimately received the medical records in November 2019.
- All Inclusive Medical Services, Inc. (AIMS)– $15,000 to settle the violation and agreed to a corrective action.
In April 2018 the OCR received a complaint alleging in January 2018 AIMS refused to allow the patient access to their medical record. After the OCR investigation AIMS provided the record in August 2020.
- Beth Israel Lahey Health Behavioral Services – $70,000 to settle the violation and agreed to a corrective action.
In April 2019, the OCR received a complaint alleging the provider did not respond to a records request in February 2019. After investigation by the OCR Beth Israel sent the records in October 2019.
- King MD – $3,500 to settle the violation and agreed to a corrective action.
In October 2018, the OCR received a complaint alleging King MD did not respond to the patients request for access to medical records in August 2018. The OCR provided technical assistance to King MD. In February 2019, a second complaint was received by the OCR alleging the patient still had not received access to the requested medical records. The OCR initiated another investigation. Subsequent to the second investigation the records were issued in July 2020.
- Wise Psychiatry, PC – $10,000 to settle the violation and entered into a corrective action.
In February 2018, the OCR received a complaint alleging failure to provide the patient’s representative access to the minor son’s patient record. The record request was November 2017. The OCR provided technical assistance to Wise Psychiatry and closed the complaint in April 2018. A second OCR complaint was received by the patient’s representative in October 2018 alleging once again Wise Psychiatry failed to provide the requested records. The OCR investigated again and determined records were not provided. As a result of the second investigation the minor patient’s records were provide in May 2019.
- Bayfront Health St. Petersburg (Bayfront) – $85,000 to settle the violation and entered into a corrective action.
The complaint alleged a mother requested health information for nine months of her unborn child with no success. This was the first case in the HIPAA Right of Access Initiative.
- Korunda Medical, LLC (Korunda) – $85,000 to settle the violation and entered into a corrective action.
This is the second case of the OCRs HIPAA Right of Access Initiative. In March 2019, the OCR received a complaint alleging Korunda failed to forward medical records as requested to a third party. This issue here, was failure to provide in the requested format and failed to timely provide the records, and charged more than the reasonable cost-based fees allowed under HIPAA. The OCR provided technical assistance on how to correct the matters and closed the complaint. Korunda continued to fail to provide the records in which a second OCR complaint was filed. As a result of the second complaint, the records were ultimately provided for free in May 2019 in the requested format.
- Renown Health, P.C. – $75,000 to settle the violation and entered into a corrective action.
In February 2019, the OCR received a complaint alleging Renown failed to timely respond to the patient’s request to receive an electronic copy of her protected health information, including billing records. The request was to send the documents to a third party. After the OCR investigation, Renown provided access to all of the requested records.
- Rajendra Bhayani – $15,000 to settle the violation and entered into a corrective action.
In September 2018, the OCR received a complaint alleging failure to provide access to records after it was requested on July 2018. The OCR provided technical assistance to Dr. R. Bhayani on complying with HIPAA’s Right of Access requirements and closed the complaint. Dr. Bhayani failed to heed the instructions and allegedly did not provide the records. This resulted in a second complaint with the OCR. After the subsequent OCR investigation, it was confirmed there was no production of records. The patient received the copy of requested records in September 2020 after the second investigation.
- Riverside Psychiatric Medical Group (RPMG) – $25,000 to settle the violation and entered into a corrective action.
In March 2019, the OCR received a complaint alleging RPMG failed to provide the patient with the requested medical records after several requests. The OCR provided RPMG with technical assistance on how to comply with the HIPAA Right of Access requirements and closed the complaint. RPMG continued to provide the records, resulting in a second complaint with the OCR. RPMG defense of their non-production of records was based on psychotherapy notes.
There are special protections regarding psychotherapy notes. But the covered entity must provide the request a written explanation when it denies any request to records in whole or in part. Here, RPMG failed to do that. Also, the patient may have access to other portions of their record outside of the psychotherapy notes. RPMG failed to do that. As a result of the second OCR investigation RPMG did provide all the requested information in October 2020 excluding psychotherapy notes.
- NY Spine Medicine (NY Spine) – $100,000 to settle the violation and entered into a corrective action.
In July 2019, OCR received a complaint alleging beginning in June 2019 the patient made multiple attempts to get copies of their medical records. NY Spine provided some but not all of the records. The diagnostic films specifically requested were not provided. After the OCR investigated in October 2020 the patient received all of the requested medical records.
- Dignity Health dba St. Joseph’s Hospital and Medical Center (SJHMC) – $160,000 to settle the violation and entered into a corrective action.
In April 2018, the OCR received a complaint alleging starting in January 2018 the patient made multiple requests to obtain a copy of the son’s medical record as the personal representative. SJMHC provided some of the records but not all of them. The representative followed up in March, April, and May 2018 with SJHMC and despite all the attempted requests the requested records were still not provided. As a result of the OCR’s investigation, SJHMC subsequently provided a copy of all the requested records on December 19, 2019 – more than 22 months after the initial request.
- Arbour Hospital (Arbour) – $65,000 to settle the violation and entered into a corrective action.
In July 2019, an initial complaint was filed alleging Arbour did not timely respond to a patient’s record request in May 2019. The OCR provided assistance to Arbour regarding the HIPAA Right of Access requirements. Unfortunately, Arbour did not head the ORC’s advice, resulting in a second complaint filed later in July 2019. The OCR initiated a second investigation and confirmed Arbour failed to meet the timely access requirements. At the outcome of the OCR investigation Arbour finally provide the patient with their requested records in November 2019.
- Village Plastic Surgery (VPS) – $30,000 to settle the violation and entered into a corrective action.
In September 2019, an initial complaint was filed with the OCR claiming VPS failed to respond to a patient’s request for records access in August 2019. The OCR completed their investigation confirming the allegations in the complaint.
If any indication from this investigation, the OCR may be losing tolerance and issuing penalties at the outset of confirming allegations rather than providing guidance. There has been a pattern of the OCR providing technical guidance and the complainant still not receiving compliance in their request resulting in a subsequent OCR investigation and issuing a financial penalty at the end of the subsequent investigation.
What is the law?
Under the HIPAA Privacy Rule’s right of access requirements, covered entities must act on a request for access no later than 30 days after receipt of the request. If a covered entity denies a request in whole or in part the covered entity must provide a written denial. The denial must be provided timely and be drafted in plain language.
There are some exceptions under the law in which certain types of records such as psychotherapy notes and research studies (with proper consent). There are other restrictions beyond those mentioned here.
Avoiding OCR Investigation
There are great lessons that can be learned from these enforcement actions. They were all avoidable had the entities complied with the law. The Access to Protected Health Information applies the same whether it is a solo practice or larger covered entity.
If an organization or practice relies on a third party to manage release of records, ensure they are complying with the law. Request to review the policies, procedures, education, and onboarding education of new staff. Do they have a Privacy Officer dedicated to overseeing enforcement of company policies and regulations? If you are in the process of securing a third-party vendor carefully vet the organization.
What section of the law applies to access to records?
HIPAA Privacy Rule’s right of access requirements (45 C.F.R. § 164.524) is the Federal law which was enforced for these cases. There may also be state laws as well.