The Office for Civil Rights (OCR) recently announced another settlement involving investigations under its Right of Access Initiative. This settlement, the sixteenth such agreement under the Initiative (and one of the most interesting), involves San Diego-based Sharp HealthCare, doing business as Sharp Rees-Stealy Medical Centers (SRMC). In the settlement, OCR alleged that it received a complaint on June 11, 2019, stating that SRMC “failed to timely respond” to a patient’s request to electronically access his medical records. OCR provided technical assistance to SRMC and closed the case.

OCR subsequently received a second, similar complaint that SRMC still had not received the medical records as of August 19, 2019. OCR notes in the Resolution Agreement with SRMC that SRMC did not provide access to the requested records until October 15, 2019.

In settling with SRMC, OCR stated that its investigation found that SRMC failed to timely respond to the request for the records from the third-party recipient. SRMC agreed to pay the OCR $70,000 to settle the case and to enter into a standard Corrective Action Plan.

The reason this is so interesting is that it is apparent from reading the Resolution Agreement that the request to access the medical records of the patient did not come directly from the patient, but from a third party. Covered entities are often faced with requests for medical records from third parties on behalf of patients. These third parties could be family members, executors of estates, guardians, administrators, parents, or lawyers. Under HIPAA, covered entities are not permitted to simply hand over medical records to individuals who are not the patient, and requests from third parties can be tricky for many reasons. In general, covered entities are prohibited from providing medical records of patients without the patient’s specific authorization. Although the background detailed facts of this settlement are not known, reading between the lines it looks like the request came from the patient’s attorney.

Covered entities often receive requests for medical records from attorneys, but often are not accompanied by HIPAA-compliant authorization forms to enable the covered entity to provide the medical records to the attorney. Although as attorneys we are used to being able to obtain documents on behalf of clients we represent, HIPAA does not allow covered entities to provide medical records to attorneys without a valid HIPAA authorization form. If an attorney provides the covered entity with a valid authorization form, the request is no different than the request of the patient, and the covered entity must provide access to the records under HIPAA and the OCR’s Right of Access Initiative. The lesson here is to treat the valid request from the attorney no differently than the request from the patient and to provide access to the records within the time frame outlined in HIPAA. Otherwise, the attorney may file a complaint with the OCR.

Binary Check Ad Blocker Security News

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals.

The accessed information included the individuals’ names, addresses, dates of birth, Social Security numbers, bank account information, health insurance claims, and clinical treatment information.

Following an investigation, OCR found potential violations of HIPAA and the parties agreed to settle the action for a payment of $5.1 million, along with the standard requirements in a Corrective Action Plan that OCR imposes on covered entities following a data breach, including completion of a security risk assessment, implementation of a risk management plan, updating policies and procedures, and annual reporting to OCR.

The Office for Civil Rights (OCR) issued a press release on November 12, 2020, announcing that it had settled its eleventh enforcement action in its HIPAA Right-of-Access Initiative. The settlement with Dr. Rajendra Bhayani, an otolaryngologist (ENT) practicing in Regal Park, New York, included a payment of $15,000, a corrective action plan and two years of monitoring by the OCR.

The facts behind the case are these: In September 2018, the OCR received a complaint from a patient alleging that Dr. Bhayani failed to provide her with access to her medical records after she requested them in July 2018. Following the complaint, the OCR provided technical assistance to Dr. Bhayani regarding compliance with the right-of-access requirements and closed the case. Similar to other recent settlements with the OCR, the patient lodged a second complaint, alleging that Dr. Bhayani still had not provided her with access to her records, and as a result of re-opening the file, the OCR “determined that Dr. Bhayani’s failure to provide the requested medical records was a potential violation of the HIPAA right of access standard.” Following the investigation, the patient received a copy of her medical records in September 2020.

According to OCR Director Roger Severino, “Doctor’s offices, large and small, must provide patients their medical records in a timely fashion. We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.”

Providers, the message is clear: carefully follow HIPAA’s right-of-access requirements.

The Office for Civil Rights (OCR) recently settled a tenth case under its right-to-access initiative with California-based Riverside Psychiatric Medical Group (RPMG), for $25,000.

Although a relatively small settlement in the amount paid, it shows that the OCR is taking patients’ requests for access to their medical records seriously, and that no complaint is too small to investigate and enforce.

In this case, the patient complained to the OCR in March of 2019 that she had made multiple requests for her records from her provider, but never received the records. Following the complaint, OCR provided technical assistance to RPMG and closed the case. However, when the patient still did not receive he records, the patient filed a second complaint with the OCR.

The OCR reopened its file (which is never a good thing after technical assistance and a closing of a case) and launched a subsequent investigation. That investigation found that RPMG’s failure to respond to the patient’s request was a potential violation of HIPAA.

In defense of the failure to provide the patient access to her records, RPMG alleged that it was not required to produce psychiatric records under HIPAA, which the OCR admitted is true. However, the OCR stated in its press release “[W]hile the HIPAA Rules do not require production of psychotherapy notes, they do require covered entities (1) to provide requestors a written explanation when it denies any records request in whole or in part, (which RPMG did not do), and (2) to provide the individual access to his or her medical records other than psychotherapy notes (and information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action of proceeding).”

RPMG sent the patient all of her records, except for psychotherapy notes in October 2020.

If you haven’t figured it out yet, when the OCR said that patients’ access to their records was a priority for enforcement in 2020, this tenth case shows that it is serious, no matter how small the entity or the request. It is also clear that the OCR will only give you one chance for technical assistance. Tread carefully when responding to patients’ request for access to their records with these settlements as guidance.

Binary Check Ad Blocker Security News

Continuing its enforcement priority of assisting patients with obtaining access to their health records, the Office for Civil Rights (OCR) recently settled its ninth case with a covered entity that it alleged failed to provide proper access of health records to a patient.

NY Spine Medicine, a medical practice providing neurological and pain management series to patients in New York and Florida, agreed to settle allegations of failing to provide a patient access to her medical records for $100,000 and a corrective action plan.

The OCR alleges that the patient made multiple requests for her medical records from NY Spine Medicine in 2019, but the patient did not receive the diagnostic films she specifically requested. She complained to the OCR which started an investigation. The OCR determined that “NY Spine’s failure to provide timely access to all of the requested medical records was a potential violation of the right of access standard. As a result of OCR’s investigation, the complainant received all of the requested medical records in October 2020.”

The OCR has made it very clear that providing patients with timely access to their health information is a high priority, so careful consideration of this priority is essential when responding to patients’ requests for their records.