OCR’s Right of Access Initiative Continues: Second Settlement in 2019
On December 12, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a second enforcement action as part of the HIPAA Right of Access Initiative, an effort by OCR to ensure individuals get access to their medical records promptly. Earlier this year, Bayfront Health St. Petersburg (“Bayfront”) entered into a settlement agreement for $85,000 for potential violations of the HIPAA Privacy Rule’s right of access rule. The second enforcement action was against Korunda Medical, LLC (“Korunda”), a Florida-based company that provides primary care and interventional pain management services, and includes allegations that Korunda failed to send medical records in the patient’s requested format to a third party.
The Korunda enforcement action involves two (2) patient complaints to OCR. In March 2019, a patient complained that Korunda failed to timely forward an electronic copy of the patient’s medical records to a third party. The patient also claimed that Korunda charged more than a reasonable, cost-based fee to process the request. OCR investigated the complaint and provided technical assistance to Korunda on how to provide proper access in a timely manner.
Following closure of the first complaint, OCR received a second complaint alleging Korunda failed to provide requested records in the format requested. OCR opened a second investigation and found continued noncompliance with the Privacy Rule’s individual rights provisions. As a result of OCR’s intervention, the records were eventually provided in the format requested, and Korunda agreed to a $85,000 settlement and corrective action plan.
The Korunda settlement highlights OCR’s continued efforts to promote individual rights under HIPAA. Healthcare organizations should review the Privacy Rule’s individual rights provisions, in particular the rules regarding access to protected health information (“PHI”). The Privacy Rule contains specific rules regarding timelines for response to a request, the form and format of PHI (including electronic formats) that must be provided, the right to direct a copy of PHI to a third party, and fees that may be charged for access to PHI.
Both the Korunda and Bayfront enforcement actions serve as important reminders to covered entities and business associates of the importance of understanding and following the HIPAA individual rights provisions. Roger Severino, OCR Director, stated in a press release announcing the Korunda settlement, “for too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope [the] Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.” Given OCR’s increased attention to individual complaints regarding access to PHI, covered entities should review policies and procedures and provide education to staff responsible for processing individual requests.