Big Penalties for Right to Access Initiative
The Office for Civil Rights (OCR) HIPAA Right of Access initiative recently led to the resolution of 11 cases at a cost of $626,000, emphasizing the risk of failing to comply with this requirement.1
The most recent settlements bring the total number of Right to Access enforcement actions to 38, with individual penalties ranging from $3,500 to $240,000. The higher penalties are associated with a longer delay in complying with a patient’s request for records.
In one case, podiatry practice offices in Peoria and Canton, IL, failed to provide a former patient with his requested medical records. “In response to an initial complaint, OCR provided ACPM [Podiatry] with written technical assistance regarding the Privacy Rule’s right of access standard and closed the matter. OCR received a second complaint from the same individual, alleging that ACPM still had not provided the medical records, after numerous requests,” OCR reported. “ACPM did not respond to multiple data requests from OCR, nor to OCR’s Letter of Opportunity and Notice of Proposed Determination.” OCR imposed a civil penalty of $100,000.1
In another case, an eye clinic in New York failed to provide a patient with a copy of her medical records until three days after OCR initiated its investigation. That was almost five months after the patient’s first written request. The clinic agreed to take corrective actions and paid $22,500 to settle a potential violation of the Right of Access standard.1
The recent cases indicate OCR is strongly enforcing Right of Access, says Paul F. Schmeltzer, JD, senior attorney with Clark Hill in Los Angeles. Some in the industry had speculated recent leadership changes at OCR might result in a slowdown on pursuing these cases, but he says that is not happening.
“In fact, we’ve seen more enforcement and settlements since then. They’re really focused on the Right of Access initiative. It’s not going away,” Schmeltzer says. “Covered entities need to know that if they receive a patient request for records and they don’t respond promptly, or if they only respond partially, that is opening the door to these types of investigations and settlements.”
Schmeltzer notes the case in which the clinic did not reply to the patient until receiving a letter from OCR. If the covered entity only sends the records to the patient at that point and does nothing else, such a response sends a damaging message. “That inflames the whole situation and makes the penalty greater than what it might have been,” he says. “You’re showing that you respond only when you really have to.”
OCR investigators may make assumptions if they do not know the reason for the delay, says John F. Howard, JD, associate attorney with Clark Hill in Scottsdale, AZ. If the covered entity offers no explanation for why it responded promptly to OCR and not the patient, the assumption might be it is because OCR has the power to impose penalties, whereas the patient does not.
“It starts to look like, ‘Oh no, I got caught.’ It is absolutely important that this is not just a back-of-the mind situation when it comes to complying with these patient requests,” Howard emphasizes. “Compliance with this law is actually very important.”
In that scenario, the covered entity still should provide the requested records to the patient after OCR contact, Schmeltzer explains. Continued failure to comply would look even worse.
“I’ve advised clients that you also need to reach out to the OCR investigator who sent you the correspondence and tell them you are providing the records now and the reason you didn’t provide them before,” Schmeltzer says. “I’ve seen cases in which the covered entity has 20 or 30 offices, and the patient request went to the wrong place and fell through the cracks. Those are easy enough to explain, and that is going to mitigate some of whatever comes later in a settlement with OCR.”
Mistakes happen, but at the point OCR is involved the goal must be to avoid inadvertently creating the impression of a coverup or a callous disregard for the patient’s request, Howard says. Communication must be clear, indicating the covered entity regrets the error and it is not routine to ignore a patient request for records.
Honesty and contrition matter in OCR investigations. “There will be some things that the person you’re communicating with won’t like hearing, because a failure did occur for some reason. But at least you’re honest about the mistake and you’re not trying to cover it up,” Schmeltzer says. “What you don’t want is for them to think you don’t have a policy on patient access to records, or you have one and you just don’t follow it. If there is a reason for the delay, let the patient and investigator know, apologize, and move forward.”
REFERENCE
- Office for Civil Rights. Eleven enforcement actions uphold patients’ rights under HIPAA. July 15, 2022.
SOURCES
- John F. Howard, JD, Clark Hill, Scottsdale, AZ. Phone: (480) 684-1133. Email: [email protected].
- Paul F. Schmeltzer, JD, Clark Hill, Los Angeles. Phone: (213) 417-5163. Email: [email protected].
The Office for Civil Rights HIPAA Right of Access initiative recently led to the resolution of 11 cases at a cost of $626,000, emphasizing the risk of failing to comply with this requirement.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.