In the below Healthcare Risk Management article, Schellman & Company Senior Manager Ryan Meehan shares insights on HIPAA settlements that hold lessons on an individual's Right of Access and Failure to Notify after a breach.
The Office for Civil Rights (OCR) recently announced two HIPAA settlements that offer lessons for covered entities regarding right of access and failure to notify after a breach.
In early 2019, OCR announced it would take steps to enforce the rights of patients to receive copies of their medical records timely and at a reasonable cost. This led to the introduction of the HIPAA Right of Access Initiative.
In September 2019, OCR issued a penalty to Bayfront Health St. Petersburg, FL, a fine of $85,000. This was the first enforcement action and settlement under this new initiative. In December, OCR settled a second case, this time with Korunda Medical in Florida, which agreed to take corrective actions and pay an $85,000 fine.
In a press announcement about the Korunda settlement, OCR explained the Right of Access Initiative was the agency’s promise to “vigorously enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice.”
The settlement addressed a patient complaint alleging Korunda failed to forward a patient’s medical records in electronic format to a third party despite numerous requests. “Not only did Korunda fail to timely provide the records to the third party, but Korunda also failed to provide them in the requested electronic format, and charged more than the reasonably cost-based fees allowed under HIPAA,” OCR said. “OCR provided Korunda with technical assistance on how to correct these matters and closed the complaint. Despite OCR’s assistance, Korunda continued to fail to provide the requested records, resulting in another complaint to OCR.”
Ryan Meehan, healthcare senior manager of Schellman & Company, a global independent security and privacy compliance assessor based in Tampa, FL, explains that the regulation from which these cases and fines are emerging can be traced to the HIPAA Privacy Rule requirements under §164.524, which concerns an individual’s access to protected health information. Specifically, he says, these cases seem to revolve around the requirement that “the covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement.”
“While the Bayfront case focused on significant delays — nine months when the standard requires it to be submitted in the proper format within 30 days — the Korunda case is notable in that the format in which the files were eventually provided to the individual was not appropriate and the cost to the individual for access to their ePHI was not reasonable,” Meehan says. “The OCR came in to provide technical assistance after the initial complaint was received, but the case had to be reopened as Korunda was still noncompliant. This is the first case in which the format and cost are being considered and factored into a fine from the OCR.”
In looking at the fines Korunda received, Meehan says it is worthwhile for risk managers and compliance officers to revisit the HIPAA requirements on which the fine is based. He cites these provisions:
Privacy Rule § 164.524(b)(2)(i)
“…the covered entity must act on a request for access no later than 30 days after receipt of the request as follows”;
Privacy Rule § 164.524(c)(2)(i)
“The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual.”
Privacy Rule § 164.524(c)(2)
“If the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, the covered entity may impose a reasonable, cost-based fee.”
While there are defined exceptions noted within the standard, Meehan says “it is clear that the OCR is taking seriously the effort for individuals to access their ePHI. In the case of Korunda, this is now extending beyond just the timeliness of those individuals receiving their ePHI; it also extends to include the format and cost associated with the request.”
Meehan stresses the importance of reviewing how individuals might request information and if the organizations can meet those requests appropriately. “Decide whether there is confidence that the records can be provided timely, that the records are kept in an appropriate manner that has been defined and known by the individual, and that there is a justifiable and reasonable cost associated with providing those requests to the individual,” Meehan explains.
The key takeaway from the Korunda settlement is the necessity of respecting basic compliance obligations, says Matthew R. Fisher, JD, partner with Mirick O’Connell in Worcester, MA. When considering the individual right to access, the right has been around as long as the privacy rule, he notes. Further, the parameters around access are clear, he says. Thus, delaying a response or giving an individual a runaround is not something that should occur.
“OCR had been making a number of public comments about focusing on the right of access. Finally getting two settlements in that regard should not have been overly surprising,” Fisher offers. “The message being sent is that if organizations continue not honoring the right of access, then enforcement will follow.”
Fisher notes the relatively small dollar amount of the fines, wondering “whether a sufficient message of deterrence has been made.”
OCR also may be sending a message with the settlement amounts in both right to access cases, says Matt Frederiksen-England, CHC, CHPR, CHRC, faculty member at Walden University in Minneapolis. He notes Bayfront is a level II trauma tertiary care, with about 480 beds and more than 550 physicians, while Korunda is a much smaller provider, seeing about 2,000 patients per year. “OCR has now applied the same fines to both a large institution and a smaller provider-based office,” he says. “OCR is making a statement showing they will hold all accountable to the HIPAA Privacy Rule requirements regardless of size.”
The Korunda settlement signals OCR is taking a much stronger approach to making sure patients can access their information, says William P. Dillon, JD, shareholder with Gunster in Tallahassee, FL.
“OCR wants it to be clear that patients have a right to get access to their records, and in an appropriate format,” Dillon says. “You don’t have to go out and buy special software, but if it is feasible to give patients the data in the format they want, you have to do it because OCR is not going to tolerate a failure to give patients access to their data.
About the AuthorMore Content by Ryan Meehan