The Department of Health and Human Services’ Office for Civil Rights has announced 11 further financial penalties to noncompliant HIPAA-regulated entities for violating the HIPAA Right of Access. The new announcement comes as a warning to all healthcare providers to adhere to HIPAA law. The latest penalties issued by the OCR were all a result of entities insufficiently providing patients with timely access to their information.
The HIPAA Right of Access was introduced to award individuals their rights to view a copy and alter their protected health information upon request. This information includes name, address, date of birth, Social Security number, and any other individually identifiable information. When such requests are made, the entity must issue the information in full within 30 days. Requests can be issued by the patients themselves, family members, or their nominated representatives. Fees for receiving a copy of the records can only be charged an appropriate amount.
The OCR, HIPAA law’s primary enforcer, began an enforcement action initiative for violations to HIPAA Right of Access in 2019, in response to indications of extensive noncompliance within the healthcare industry. The result of which is several financial sanctions on HIPAA-regulated entities. In the latest OCR announcement, 11 noncompliant entities were named. These include CPM Podiatry, Memorial Hermann Health System, Southwest Surgical Associates, Hillcrest Nursing and Rehabilitation, Melrose Wakefield Healthcare, Erie County Medical Center Corporation, Fallbrook Family Health Center, Associated Retina Specialists, Coastal Ear, Nose, and Throat, Lawrence Bell, Jr, D.D.A, and Danbruy Psychiatric Consultants. The financial penalties imposed by the OCR ranged from $3,500 to $240,000. ACPM Podiatry was issued a civil monetary penalty for refusing to cooperate with the OCR. Despite receiving technical assistance and multiple requests, the entity still withheld patient records. Alternatively, 3 of the financial penalties were a result of a HIPAA-regulated entity withholding records from a patient’s nominated representative.
As of 2022, the OCR has issued 122 financial penalties in response to HIPAA violations since 2008. The OCR director stresses the importance of compliance to HIPAA law, “It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records. Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records”.