HHS Slaps 5 More Entities in HIPAA 'Right of Access' DisputesCases Include 4 Settlements – Plus, a Rare Civil Monetary Penalty
As part of an ongoing campaign promoting patients' access to their health records, federal regulators this week revealed they have taken enforcement actions against healthcare providers in five more cases involving failure to comply with the HIPAA Privacy rule right of access provision.
See Also: Case Study: The Road to Zero Trust
The Department of Health and Human Services' Office for Civil Rights' enforcement actions include four settlements ranging from $10,000 to $160,000, plus a $100,000 civil monetary penalty against a solo-practice cardiovascular physician.
Under the HIPAA right of access provision, individuals have a right to view and receive copies of their health information from their healthcare providers and health plans. After receiving a request, a HIPAA covered entity, absent an extension, has 30 days to provide an individual or their representative with the patient's records in a timely manner at a reasonable cost.
“OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”
Civil Monetary Penalty
Among the enforcement actions announced this week, HHS OCR says it levied a $100,000 civil monetary penalty against New Hyde Park, New York-based cardiovascular and internal medicine physician Dr. Robert Glaser.
HHS OCR says Glaser failed to cooperate with the agency's investigation or to respond to OCR’s multiple data requests in a case involving HHS OCR receiving two complaints from a former patient in 2017.
The patient alleged that Glaser failed to respond to several written and verbal requests he made for access to his medical records from 2013 to 2014. OCR says it determined that Glaser failed to provide access to medical records in response to a lawful request from his patient. The violation continued from February 2018 to October 2020 and constituted willful neglect, OCR says.
Glaser did not immediately respond to Information Security Media Group's request for comment on the case.
In the resolution of most HIPAA enforcement cases that involve a financial payment by a breached entity, the payment is typically agreed to as part of a settlement or resolution agreement.
OCR generally imposes a civil monetary penalty, apart from a settlement or agreement, only in those cases that involve a lack of cooperation with investigators or the failure to take recommended steps to correct security deficiencies. As a result, OCR to date has announced only a handful of cases involving civil monetary penalties (see: Appeal Court Vacates $43 Million HIPAA Penalty) .
HHS OCR's other enforcement actions announced this week include resolution agreements with four covered entities to settle their potential violations of the HIPAA Privacy Rule's right of access standard. Those cases include:
- A $160,000 settlement and corrective action plan with Eugene, Oregon-based eating disorder treatment services provider, Rainrock Treatment Center, LLC, which does business as Monte Nido Rainrock. HHS OCR says that it received multiple complaints from a Monte Nido patient alleging that the entity failed to provide her with a copy of her medical records in response to access requests made in October 2019 and November 2019 access requests. Monte Nido did not send the requested records until May 2020. Monte Nido did not immediately respond to ISMG's request for comment on it settlement.
- A $32,150 settlement and corrective action plan with Springboro, Ohio-based Advanced Spine & Pain Management, which provides treatment services for chronic pain. HHS OCR says it received a complaint from an ASPM patient that the entity failed to provide him with timely access to his protected health information despite the patient in November 2019 submitting to ASPM, in person, a written request seeking access to his records. HHS OCR's investigation found that ASPM acknowledged it received the patient's request on the same date it was submitted, but did not send the individual a copy of his records until about four months later, in March 2020. ASPM did not immediately respond to ISMG's request for comment on its settlement with HHS OCR.
- A $30,000 settlement and corrective action plan with Denver, Colorado-based ophthalmological services-provider Denver Retina Center, a provider of ophthalmological services. HHS OCR says it received two complaints - in March 2018 and June 2019 - against DRC from a patient alleging DRC did not fulfill her requests for access to her medical records. HHS’ investigation found that DRC failed to provide the patient with timely access to her health records. DRC did not immediately respond to ISMG's request for comment on its settlement with HHS OCR.
- A $10,000 settlement and corrective action plan with Raleigh, N.C-based Wake Health Medical Group, a provider of primary care and other healthcare services. HHS OCR says that in December 2020, it received a complaint from a patient alleging that Wake Health Medical Group had not provided the individual with a copy of her medical records despite making a request in person on in June 2019, and paying a fee of $25 for the records.. To date, Wake Health Medical Group has failed to provide the complainant with a copy of her medical records, HHS OCR says. Wake Health Medical Group did not immediately respond to ISMG's request for comment.
"This is a recognition of the importance of this patient right and a clear signal to the regulated community that they need to pay attention to these issues. It is still surprising that covered entities haven’t gotten this message yet."
—Kirk Nahra, WilmerHale
Besides paying financial settlements, each of the resolution agreements in these cases require the entities to take corrective actions, such as developing, maintaining, revising and implementing written policies and procedures to comply with the HIPAA privacy rule right of access provision. The corrective action plans also require the entities to distribute those policies – and provide related training - to their workforces and relevant business associates.
To date, HHS OCR has taken a total of 25 enforcement actions in HIPAA right of access cases – including the five cases announced this week - since the agency launched its initiative to prioritize compliance with the provision in April 2019.
That includes a total of 19 enforcement actions resulting in resolution agreements with corrective actions plans and financial settlements ranging from $3,500 to $200,000 – plus the recent $100,000 civil monetary penalty case against Glaser.
"These cases reflect a continuing interest from OCR in pursuing access violations," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"This is a recognition of the importance of this right and a clear signal to the regulated community that they need to pay attention to these issues. It is still surprising that covered entities haven’t gotten this message yet," he says.
Privacy attorney David Holtzman of the consulting firm HITprivacy LLC notes that typically, OCR provides HIPAA covered entities the opportunity to take voluntary corrective action to resolve complaints from patients over access to their health information.
"It is important to prioritize the 'corrective actions' identified in OCR’s correspondence," he urges.
"I believe it is fair to ask when HHS will pursue a more balanced approach to its enforcement of the HIPAA standards."
—David Holtzman, HITprivacy LLC
That includes: how does the covered entity enable the access rights of an individual; review policies and procedures for individuals to request and obtain access to PHI and to determine whether they comply with the mandated criteria; verify that access was provided consistent with the policies and procedures; and make sure responses were made in a timely manner, he says.
Holtzman notes that since OCR began its right of access initiative in 2019, the majority of the enforcement actions have been taken against smaller healthcare providers. "Most of these cases appear to have been fast tracked, given administrative priority from the time the complaint is received through resolution by enforcement," he says.
However, "during this same period there have been over 1,200 large data breaches reported to HHS. These HIPAA breaches have affected approximately 50 million people," he notes.
A significant number of the breaches reported to OCR appear to show violations of the HIPAA standards due to late reporting, failure to adequately secure information systems, or train workforce members on safeguarding PHI, he contends. "I believe it is fair to ask when HHS will pursue a more balanced approach to its enforcement of the HIPAA standards."
Overall, HHS OCR has announced a total of 14 HIPAA enforcement settlements totaling about $5.6 million so far in 2021. That includes 12 "right of access" cases (see: HHS OCR's Latest HIPSS Enforcement Action).
Nahra says he suspects there has been "a bit of a hiatus on other kinds of OCR enforcement" due to HHS OCR's leadership transition under the Biden administration and well implications as a ruling in January by the 5th Circuit U.S. Court of Appeals in Louisiana.
The court vacated a $4.3 million HIPAA civil monetary penalty levied in 2017 by HHS OCR against the University of Texas MD Anderson Cancer Center in the wake of three breaches involving unencrypted mobile devices. The court called the penalty “arbitrary, capricious and contrary to law," and was overall critical of HHS OCR's interpretation of HIPAA requirements and how it sets civil monetary penalties.
HHS OCR did not immediately respond to ISMG's request for comment.