Renown Health, P.C. (Renown), a non-profit health system in Nevada, settled with the U.S. Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services in a matter resulting from an enforcement action for a potential violation of patients’ access rights under the OCR’s Health Insurance Portability and Accountability Act of 1996 (HIPAA) Right-of-Access Initiative. The Renown settlement is the 15th settlement under this initiative.

Renown paid $75,000 and agreed to:

  • Develop and maintain written access policies and procedures to comply with HIPAA
  • Distribute updated policies and procedures related to the right-of-access to all workforce members
  • Train workforce members on the right-of-access
  • Revise its Notice of Privacy Practices to reflect the steps that patients need to take to access their PHI (including billing records)

OCR alleged that Renown did not respond to a patient’s request that an electronic copy of her protected health information (PHI), including billing records, be sent to a third party in a timely manner under HIPAA. The OCR’s investigation determined that this failure to provide timely access was a potential violation of Renown’s obligations to the patient. As a result of the investigation, Renown also provided access to all the requested records.

Acting Director of OCR, Robinsue Frohboese, said “Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis,” and OCR will certainly continue to enforce these types of violations throughout 2021. OCR announced this initiative in September 2019 seeking to support patients’ right to timely access to their PHI at a reasonable cost under HIPAA.

To view the corrective action plan that Renown has agreed to, click here.

The Office for Civil Rights (OCR) recently announced another settlement involving investigations under its Right of Access Initiative. This settlement, the sixteenth such agreement under the Initiative (and one of the most interesting), involves San Diego-based Sharp HealthCare, doing business as Sharp Rees-Stealy Medical Centers (SRMC). In the settlement, OCR alleged that it received a complaint on June 11, 2019, stating that SRMC “failed to timely respond” to a patient’s request to electronically access his medical records. OCR provided technical assistance to SRMC and closed the case.

OCR subsequently received a second, similar complaint that SRMC still had not received the medical records as of August 19, 2019. OCR notes in the Resolution Agreement with SRMC that SRMC did not provide access to the requested records until October 15, 2019.

In settling with SRMC, OCR stated that its investigation found that SRMC failed to timely respond to the request for the records from the third-party recipient. SRMC agreed to pay the OCR $70,000 to settle the case and to enter into a standard Corrective Action Plan.

The reason this is so interesting is that it is apparent from reading the Resolution Agreement that the request to access the medical records of the patient did not come directly from the patient, but from a third party. Covered entities are often faced with requests for medical records from third parties on behalf of patients. These third parties could be family members, executors of estates, guardians, administrators, parents, or lawyers. Under HIPAA, covered entities are not permitted to simply hand over medical records to individuals who are not the patient, and requests from third parties can be tricky for many reasons. In general, covered entities are prohibited from providing medical records of patients without the patient’s specific authorization. Although the background detailed facts of this settlement are not known, reading between the lines it looks like the request came from the patient’s attorney.

Covered entities often receive requests for medical records from attorneys, but often are not accompanied by HIPAA-compliant authorization forms to enable the covered entity to provide the medical records to the attorney. Although as attorneys we are used to being able to obtain documents on behalf of clients we represent, HIPAA does not allow covered entities to provide medical records to attorneys without a valid HIPAA authorization form. If an attorney provides the covered entity with a valid authorization form, the request is no different than the request of the patient, and the covered entity must provide access to the records under HIPAA and the OCR’s Right of Access Initiative. The lesson here is to treat the valid request from the attorney no differently than the request from the patient and to provide access to the records within the time frame outlined in HIPAA. Otherwise, the attorney may file a complaint with the OCR.

Binary Check Ad Blocker Security News

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals.

The accessed information included the individuals’ names, addresses, dates of birth, Social Security numbers, bank account information, health insurance claims, and clinical treatment information.

Following an investigation, OCR found potential violations of HIPAA and the parties agreed to settle the action for a payment of $5.1 million, along with the standard requirements in a Corrective Action Plan that OCR imposes on covered entities following a data breach, including completion of a security risk assessment, implementation of a risk management plan, updating policies and procedures, and annual reporting to OCR.

The Office for Civil Rights (OCR) issued a press release on November 12, 2020, announcing that it had settled its eleventh enforcement action in its HIPAA Right-of-Access Initiative. The settlement with Dr. Rajendra Bhayani, an otolaryngologist (ENT) practicing in Regal Park, New York, included a payment of $15,000, a corrective action plan and two years of monitoring by the OCR.

The facts behind the case are these: In September 2018, the OCR received a complaint from a patient alleging that Dr. Bhayani failed to provide her with access to her medical records after she requested them in July 2018. Following the complaint, the OCR provided technical assistance to Dr. Bhayani regarding compliance with the right-of-access requirements and closed the case. Similar to other recent settlements with the OCR, the patient lodged a second complaint, alleging that Dr. Bhayani still had not provided her with access to her records, and as a result of re-opening the file, the OCR “determined that Dr. Bhayani’s failure to provide the requested medical records was a potential violation of the HIPAA right of access standard.” Following the investigation, the patient received a copy of her medical records in September 2020.

According to OCR Director Roger Severino, “Doctor’s offices, large and small, must provide patients their medical records in a timely fashion. We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.”

Providers, the message is clear: carefully follow HIPAA’s right-of-access requirements.

The Office for Civil Rights (OCR) recently settled a tenth case under its right-to-access initiative with California-based Riverside Psychiatric Medical Group (RPMG), for $25,000.

Although a relatively small settlement in the amount paid, it shows that the OCR is taking patients’ requests for access to their medical records seriously, and that no complaint is too small to investigate and enforce.

In this case, the patient complained to the OCR in March of 2019 that she had made multiple requests for her records from her provider, but never received the records. Following the complaint, OCR provided technical assistance to RPMG and closed the case. However, when the patient still did not receive he records, the patient filed a second complaint with the OCR.

The OCR reopened its file (which is never a good thing after technical assistance and a closing of a case) and launched a subsequent investigation. That investigation found that RPMG’s failure to respond to the patient’s request was a potential violation of HIPAA.

In defense of the failure to provide the patient access to her records, RPMG alleged that it was not required to produce psychiatric records under HIPAA, which the OCR admitted is true. However, the OCR stated in its press release “[W]hile the HIPAA Rules do not require production of psychotherapy notes, they do require covered entities (1) to provide requestors a written explanation when it denies any records request in whole or in part, (which RPMG did not do), and (2) to provide the individual access to his or her medical records other than psychotherapy notes (and information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action of proceeding).”

RPMG sent the patient all of her records, except for psychotherapy notes in October 2020.

If you haven’t figured it out yet, when the OCR said that patients’ access to their records was a priority for enforcement in 2020, this tenth case shows that it is serious, no matter how small the entity or the request. It is also clear that the OCR will only give you one chance for technical assistance. Tread carefully when responding to patients’ request for access to their records with these settlements as guidance.

Binary Check Ad Blocker Security News

Continuing its enforcement priority of assisting patients with obtaining access to their health records, the Office for Civil Rights (OCR) recently settled its ninth case with a covered entity that it alleged failed to provide proper access of health records to a patient.

NY Spine Medicine, a medical practice providing neurological and pain management series to patients in New York and Florida, agreed to settle allegations of failing to provide a patient access to her medical records for $100,000 and a corrective action plan.

The OCR alleges that the patient made multiple requests for her medical records from NY Spine Medicine in 2019, but the patient did not receive the diagnostic films she specifically requested. She complained to the OCR which started an investigation. The OCR determined that “NY Spine’s failure to provide timely access to all of the requested medical records was a potential violation of the right of access standard. As a result of OCR’s investigation, the complainant received all of the requested medical records in October 2020.”

The OCR has made it very clear that providing patients with timely access to their health information is a high priority, so careful consideration of this priority is essential when responding to patients’ requests for their records.

Continuing with its previous enforcement actions centered on covered entities’ failure to provide patients with access to their health records, the Office for Civil Rights (OCR) announced on October 9, 2020 that it entered into a settlement with Dignity Health, doing business as St. Joseph’s Hospital and Medical Center in Phoenix (St. Joseph’s) for $160,000 for failing to respond to multiple requests of a mother for her son’s records.

According to the OCR, a patient’s mother requested on multiple occasions her son’s medical records and St. Joseph’s failed to respond to her requests. She complained to the OCR, which commenced an investigation. Although St. Joseph’s provided partial records within months of the mother’s initial request in January 2018, the request was not fully complied with until December 2019.

The OCR stated “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.” The OCR warned covered entities by further stating “OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.”

In addition to the settlement of $160,000, St. Joseph’s is subject to a two-year corrective action plan that requires it to retrain its employees, update its policies and procedures around access to records, and distribute them to employees.

Regulatory bodies are upping the ante when it comes to settling with companies that have suffered data breaches. In addition to the below settlements, see also the settlement between the OCR and Dignity Health.

Community Health Systems, Inc. Settles for $5 M in Multi-State Settlement

On October 8, 2020, New Jersey Attorney General Gurbir Grewal (AG) announced that his office has entered into a multi-state settlement agreement with Community Health Systems, Inc. (CHS) stemming from an investigation of a 2014 data breach that exposed personal information of approximately 6.1 million patients, including 45,000 New Jersey residents. This is after CHS agreed to pay $2.3 million in settlement for HIPAA violations alleged by the Office for Civil Rights. Read article

Morgan Stanley Settles with OCC for $60 Million

Morgan Stanley has settled claims by the Office of the Comptroller of the Currency (OCC) that it failed to properly decommission data centers that housed client data of its wealth-management operations two times—once in 2016 and once in 2019 for $60 million. Read article

 

Premera Blue Cross (Premera) has agreed to settle with the Office for Civil Rights (OCR) for $6.85 million over allegations of violations of HIPAA after an investigation of a data breach that occurred in 2014 affecting 10.4 million individuals. This is the largest settlement the OCR has entered into with a covered entity in 2020, and the second largest in history (second only to Anthem, which settled with the OCR for $16 million in 2018 for a data breach that occurred in 2015).

Premera self-reported to the OCR on March 17, 2015, that cyber-attackers infiltrated its IT system through a phishing campaign in May 2014, which went undetected until January of 2015. The attack, an advanced persistent threat, compromised the protected health information of 10.4 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and clinical information.

Following an investigation, the OCR alleged that Premera failed both to conduct an enterprise-wide security risk analysis and to implement risk management measures or audit controls.

In addition to the payment of the settlement amount, Premera entered into a Corrective Action Plan to implement security measures, including conducting a risk analysis and developing and implementing a risk management plan, and revising its privacy and security policies.

Binary Check Ad Blocker Security News

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that it has settled potential violations of HIPAA with Athens Orthopedic Clinic PA (Athens) for $1.5 million, following an investigation of a data breach that occurred in 2016.

The data breach compromised the protected health information of 208,557 individuals when the information may have been stolen and posted online for sale. Two days later, the hacker requested payment of money in exchange for return of the stolen database. It is reported that the hacker was able to access the database through the use of a vendor’s credentials.

The OCR’s investigation found that Athens had systemic noncompliance with both the HIPAA Privacy and Security Rules. In addition to the monetary settlement, Athens will also implement a corrective action plan and be monitored for two years.