Though 2020 was full of surprises for the healthcare industry, enforcement in the world of HIPAA regulations remained steady and serious. You likely had to make adjustments to your office procedures, staff, means of providing services, and more in order to ride the ups and downs of the pandemic. We want you to know that HIPAA compliance —especially right of access to one’s medical records — is one area in which you still shouldn’t let your guard down.
HIPAA remains a vital component of a thriving therapy practice, both for your patients’ sake and your own.
Last year, enforcement was especially stringent when it came to the Right of Access Initiative established by the Office for Civil Rights (OCR) in 2019.
This initiative was OCR’s promise to strictly enforce penalties, which can include fees, monitoring, and corrective action, for any HIPAA-covered entity that fails to provide a patient with his or her records in a timely manner.
Why Patients’ Right of Access to Their Records is Important
The right to access one’s own protected health information (PHI) is fundamental to HIPAA. Some providers fail to realize just how important this access clause is and tend to focus exclusively on the privacy portions of HIPAA regulations. While it’s understandable that you may be overwhelmed by all that’s necessary to keep your therapy practice fully compliant, the risk is too great not to stay on top of this and every other HIPAA provision.
Patients are granted access to a designated records set, which roughly encompasses all medical and billing records that could be used to make a decision about an individual’s care.
A HIPAA-covered entity must respond to a records request within 30 days**** in one of three ways: (i) by providing the record to the patient, (ii) by denying the request based on HIPAA factors that permit such a denial, or (iii) by notifying the requester that an extension is necessary according to HIPAA protocol.
There are also stipulations about the form and format of records requested by an individual, which must be honored if possible. Requests to share PHI with a third party are also required to be executed when said request is presented in the manner designated by the provider.
As the following summary will show, not taking these guidelines into account can have dire consequences for your business.
2020-’21 Enforcement of the HIPAA Right of Access Initiative
Since this initiative was announced in 2019, nineteen settlements have taken place. The terms of each settlement vary, but any has the potential to wipe out a therapy clinic.
Though these violations have not been exclusive to the therapy industry, the HIPAA ASSIST team would argue that the repercussions that have already been enforced would be even more devastating to a therapy practice than to some other types of healthcare providers, due to size, structure, and cash flow differences.
While each situation is unique, it is clear that therapy clinic owners must continue to take HIPAA seriously, despite what’s happening in the world at large.
Below is a cursory overview of these 13 violations and the associated penalties that have been administered:
- In September 2019, OCR enforced penalties in an investigation in which a mother requested Bayfront Health St. Petersburg provide her unborn child’s records and did not receive them for nine months. The trauma center was fined $85,000, required to implement a corrective action plan, and will be subject to one year of monitoring by OCR.
- The second penalty under the Right of Access Initiative occurred in December 2019. A patient at Korunda Medical in Florida repeatedly requested that records be sent to a third party. Even after a first complaint was closed, Korunda failed to do so in a timely manner and charged the patient more than is permitted under HIPAA. They accepted the same monetary and corrective penalties as those in the first violation above.
- All Inclusive Medical Services of California finally sent a patient her records in August 2020 after two years of requests, and accepted a penalty of $15,000 in addition to taking corrective action.
- Housing Works in New York City paid $38,000 to OCR and agreed to a corrective action plan in September 2020 for failure to provide timely access to records.
- At Beth Israel Lahey Health Behavioral Services in Massachusetts, a patient was denied timely access to her father’s medical records. As a result, OCR received a $70,000 fine and enforced a corrective action plan in September 2020.
- King MD, a small psychiatric healthcare provider in Virginia, was fined $3,500 in September 2020 when, after several complaints, they failed to provide a patient with her medical records in a timely manner.
- OCR fined Wise Psychiatry of Colorado $10,000 and required compliance with a corrective action plan in September 2020 after a personal representative was refused access to his minor son’s medical records for 18 months.
- A $160,000 settlement and two years of monitoring was enforced against St. Joseph’s Hospital and Medical Center in Arizona in October 2020 when they took 22 months to provide a mother with her son’s records.
- Also in October 2020, NY Spine Medicine was penalized for not providing a patient with her medical records for over a year. They were fined $100,000 and OCR will monitor their corrective actions for two years.
- A settlement in November 2020 involved Riverside Psychiatric Medical Group in California, which paid $25,000 in yet another example of not providing a complainant with the requested medical records. With OCR’s persistence, the patient finally received the records 20 months from the first request.
- A private practitioner of otolaryngology in New York had to pay $15,000 and agree to two years of monitoring when OCR determined in November 2020 that he had failed to provide timely access to records after two complaints and despite having received technical assistance.
- Also in November 2020, the University of Cincinnati Medical Center settled and agreed to pay $65,000 and take corrective action after failing to provide a lawyer with timely access to a patient’s medical records.
- In December 2020, consisted of a primary health care provider in Georgia agreeing to a $36,000 fine and a corrective action plan with two years of monitoring after a patient failed to receive his medical records for over one year.
- Banner Health ACE, out of Phoenix, AZ, paid a $200,000 settlement in January 2021 for two timely access violations that took place over a three-year time span.
- In February 2021, Renown Health of Nevada failed to provide a patient with her electronic health and billing records and was required to pay a $75,000 fine.
- The sixteenth right of access violation also occurred in February 2021. Sharp HealthCare, a large health group in California, paid $70,000 and agreed to corrective action to settle two untimely access complaints.
- Despite having had technical assistance from OCR, Arbour Hospital in Massachusetts faced a $65,000 fine and corrective action plan in March 2021. The hospital took more than five months to provide a patient with their records.
- Also in March 2021, Village Plastic Surgery in New Jersey agreed to pay $30,000 and follow an action plan after not providing a patient’s records within the 30-day required window.
- The Diabetes, Endocrinology & Lipidology Center of West Virginia paid a penalty of $5,000 in June 2021 for failing to produce a minor’s health records following a parent request.
Note that every one of the above breaches involved lack of timely access! The 30-day limit to providing requested PHI should be built into your clinic’s regular procedures.
It’s also noteworthy that the average penalty for a timely access violation has significantly increased as OCR has been cracking down since the Right of Access Initiative was introduced.
Worried that your therapy clinic may not be fully HIPAA-compliant after reading this list of real-world penalties? Find out where you stand by completing our free self-evaluation checklist!
Customized Guidance with HIPAA Compliance for Therapy Clinics
At HIPAA ASSIST, we support your therapy clinic with customized compliance advice and help you avoid potentially exorbitant penalties like those listed above. We customize your clinic’s HIPAA training, as well as your HIPAA Policies and Procedures Manual, to reflect these and other relevant changes. This means you and your staff are always kept current.
Schedule a custom compliance evaluation to find out what it could look like for your clinic to have tailored guidance from our team of HIPAA experts.
****As of 7/14/21, HHS is looking to change the 30 days to ASAP, not to exceed 15 days. https://healthitsecurity.com/news/hhs-proposes-hipaa-privacy-rule-changes-improving-right-of-access