As the year comes to an end, we thought we would revisit the HIPAA Right of Access Initiative. It’s a subject we have covered during the past two years that can hit providers in their wallet.
The Privacy Rule generally requires HIPAA covered entities (health plans and most healthcare providers) “to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. You can read more about that here.
The Office for Civil Rights at the U.S. Department of Health and Human Services recently announced it had resolved five more investigations into violations of this initiative – bringing to 25 the total number of these enforcement actions since the initiative began.
OCR created the initiative to give patients timely access to their medical records at a reasonable cost under the HIPAA Privacy Rule. OCR believes that patients who are given access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research.
If a provider is found to be in violation, they face financial consequences, must take corrective action, and in many cases also must be monitored for a period of time.
The five more recent cases with links to the agreements are:
Advanced Spine & Pain Management (ASPM) agreed to take corrective actions that include two years of monitoring and has paid OCR $32,150 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Denver Retina Center agreed to take corrective actions that includes one year of monitoring and has paid OCR $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Dr. Robert Glaser failed to cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record. He waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. OCR closed this case by issuing a civil money penalty of $100,000.
Rainrock Treatment Center, LLC dba Monte Nido Rainrock (“Monte Nido”) took corrective actions including one year of monitoring and paid OCR $160,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Wake Health Medical Group agreed to take corrective actions and has paid OCR $10,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
As you can see, settlements can be costly, so it’s imperative that you familiarize yourself with these requirements to ensure that you comply.
The Health Law Offices of Anthony C. Vitale can assist you in reviewing your policies and procedures as well as defending your rights in any OCR investigation. Contact the firm for additional information at 305-358-4500 or send an email to [email protected].