11 healthcare providers settle HIPAA right-to-access failures with the feds
The Department of Health and Human Services’ Civil Rights Office announced settlements with 11 covered entities to resolve claims that providers failed to give patients timely access to their medical records, in violation of the law. on the portability and liability of health insurance.
The enforcement actions stem from OCR’s right to access initiative launched in 2018, designed to strengthen patient access rights across the United States. Providing individuals with their medical records strengthens the coordination of care and the overall quality of care.
The latest actions bring the total number of settlements under the initiative to 38.
The latest settlements include civil monetary penalties ranging from $3,500 to $240,000. The heaviest penalties were imposed on Memorial Hermann Health System in Texas and ACPM Podiatry in Illinois. Memorial Hermann paid OCR $240,000 and ACPM $100,000.
Medium-sized penalties were issued to Southwest Surgical Associates in Texas ($55,000), MelroseWakefield Healthcare ($55,000), Hillcrest Nursing and Rehabilitation in Massachusetts ($55,000), Erie County Medical Center Corporation ($50,000) , Nebraska’s Fallbrook Family Health Center ($30,000), and Associated Retina Specialists of New York ($22,500).
The smallest fines were paid by Coastal Ear, Nose, and Throat in Florida ($20,000), Lawrence Bell Jr., DDS, in Baltimore ($5,000) and Danbury Psychiatric Consultants in Massachusetts ($3,500).
The range of penalties reflects the nature and extent of the violations, while emphasizing the importance OCR places on the right of HIPAA access. The standard states that patients have the right to see and/or obtain their records within 30 days, or longer if an extension is filed.
“It shouldn’t take a federal investigation before a HIPAA-covered entity gives patients, or their personal representatives, access to their medical records,” OCR Director Lisa J. Pino said. , in a press release. Entities must “understand that OCR takes seriously respect for the law and the fundamental right of individuals to timely access to their medical records.”
The two most significant penalties imposed provide examples for Covered Entities and affected Business Associates of their responsibilities under HIPAA.
$100,000 penalty for CMPA Podiatry
The CMPA Podiatry Regulations highlights a number of key issues that vendors should avoid when ensuring HIPAA compliance and when interacting with OCR regarding potential HIPAA violations. The OCR sanction imposed on the CMPA came after it failed to respond or request a hearing “in accordance with the instructions contained in the Notice of Proposed Ruling”.
As such, the supplier does not have the right to appeal the monetary penalty of $100,000.
The latest enforcement action stems from an April 8, 2019 complaint filed with the OCR by a former CMPA patient, who alleged that “the CMPA refused to provide him with requested medical records.” OCR promptly provided the CMPA with written technical assistance on right of access requirements, including that covered entities must respond and provide access to PHI within 30 days.
“The tech support letter informed the CMPA that a covered entity cannot deny or deny an individual access to their PHI on the basis that the individual has not paid the bill for health services that covered entity has provided to the individual,” according to the findings. .
The OCR then considered the case closed and informed the patient that he could contact again if the access problems persisted. A month later, the same patient filed a second complaint claiming that the CMPA had still not provided the requested records and had not responded to oral requests made in September and October 2018, and a written request in November. 2018.
However, the audit findings show that the CMPA failed to respond to both the patient and the OCR investigators on several occasions.
The patient alleged that “he inquired about his request in December 2018, and was informed by a CMPA employee that the CMPA was not trying to deny his request, but had a lot of surgeries to be completed before the end of the year”, according to the conclusions.
Another request made in January 2019 was reportedly answered with non-payment issues. And the CMPA allegedly told the patient that “if the insurance doesn’t pay, the CMPA won’t release the records.”
OCR’s second complaint stated that the patient inquired about the access request and was told by an employee, “We still have your request and we have[r] Number.” But the medical file was necessary to “appeal an unfavorable decision taken by his health insurance fund for the payment of an invoice related to care provided by the ACPM”.
The OCR responded to these allegations by sending the CMPA the complaint and a request for data, including whether the specialist had provided this patient with their medical records. The agency also requested a copy of its patient access policies, while reminding the CMPA of HIPAA requirements.
In its request, ACPM was given a number of options it could make in response to the allegations, including presenting evidence that the alleged violation did not occur or the actions it took in response to the patient’s request.
However, the CMPA did not respond to the data request or OCR until June 29, 2019. OCR followed up with the provider twice by phone and again by letter on July 16, 2019 , requesting a copy of the data request, its responses to OCR, and for the CMPA to “contact the investigator assigned to the case to arrange production of the requested data.”
“The CMPA did not respond to OCR’s data request letter of June 14, 2019, nor did it contact the investigator assigned to this case,” according to the findings. The patient did not receive his record until July 28, 618 days after the November 13, 2018 written access request. But the patient says the records are incomplete.
In response to the actions and inactions, the OCR sent the CMPA a letter advising the specialist that the CMPA had failed to comply with the HIPAA right-of-access rule and that “the matter has not been resolved through informal means despite OCR’s attempts to do so”. Thus, the preliminary indications showed that the CMPA was not in compliance.
Despite being reminded that they could submit written evidence to opt out of the CMP within 30 days, the CMPA ignored the requests and provided no evidence of mitigating factors or “affirmative defence”.
The United States Attorney General granted the OCR leave to impose its civil monetary penalty on the CMPA. The OCR has determined that the CMPA is responsible for violating HIPAA law because it failed to provide timely access to medical records.
While the appropriate level of penalty for this violation is willful negligence and, uncorrected, carries a maximum fine of $3.57 million, the OCR assessed the CMPA a penalty of $100,000. The OCR calculated the penalty based on the CMPA’s financial situation and the nature and extent of the violations.
Past compliance history was also considered by the OCR, which included a similar complaint filed against the CMPA on similar grounds to those held against the provider in the original complaints.
Memorial Hermann Health System’s $240,000 penalty detailed
An investigation has been opened into Hermann Memorial after a patient filed a complaint with the OCR on August 31, 2020, alleging that the health system failed to provide him with his medical records. The patient made five requests for access to his complete billing file and his medical file between June 2019 and January 2020.
OCR found that Memorial Hermann did receive the initial access request on July 10, 2019, and “subsequently failed to take timely and compliant action on those requests.”
The Request was not completed in full until March 26, 2021, supporting “the legal conclusion that the Covered Entity violated” the Right of Access Standard by not completing the Access Request for a total of 564 days.
In addition to paying $240,000 to OCR, Memorial Hermann has agreed to put in place a corrective action plan that requires a review of its internal policies and procedures to govern patient access to their protected health information, including including a reliable receipt and processing tracking mechanism for all written requests for access to medical information and records.
The healthcare system should also develop its HIPAA right-of-access policies and procedures and provide relevant staff members with training to handle the materials in accordance with the rule.