Tis the season for HIPAA financial penalties

December 24, 2019

Why practices must provide patients with their records-or face the consequences.

The trend continues as the Department of Health and Human Services Office for Civil Rights (OCR) issues its 9th enforcement action of 2019.

On September 13, 2019, I wrote a Physician’s Practice article entitled, Failure to provide patient records can result in a HIPAA fine. That article addressed one of the nine enforcement actions – Bayfront Health’s failure to provide a pregnant woman with a complete copy of her medical record by omitting the fetal heart rate monitor records of her unborn child. Resultantly, the hospital agreed to pay $85,000 and implement a corrective action plan.

It’s now December 2019 and OCR continues to focus on Privacy Rule violations for failing to comply with HIPPA’s Right of Access. This time, Korunda Medical, also a Florida-based provider, agreed to pay $85,000 to settle potential violations of the HIPAA Right of Access, adopt a corrective action plan and revise its policies and procedures to bring them into compliance with the Right of Access.

The HIPAA Right of Access Initiative has been identified as an enforcement drive to ensure HIPAA-covered entities are providing patients with copies of their medical records in a manner, which comports with the law. It is also important to read state laws, which often have shorter time periods for providing medical records to patients.

As OCR Director, Roger Severino articulated, “[f]or too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.”

In Korunda Medical’s case, an initial complaint was filed with OCR on March 6, 2019. Subsequently, on March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access and the complaint was closed. Four days later, a second complaint was received and on May 8, 2019, OCR advised Korunda Medical that a compliance investigation had been launched. And, as stated above, a monetary settlement was paid and corrective action plan was implemented.

Two issues come to mind with this most recent fine. First, why weren’t policies and procedures reviewed more closely and on an annual basis to ensure that the content was adequate? Second, how was this missed during the requisite, annual risk analysis? As the year comes to a close and compliance preparations are reviewed, covered entities, business associates and subcontractors should evaluate the quality of their policies and procedures, training and risk analysis. Doing so could lead to a year of “days that are merry and bright!”

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.