Home > Alerts > (Un)Lucky Thirteenth HIPAA Right of Access Initiative Investigation Results in Primary Care Provider Paying $36,000 to OCR

(Un)Lucky Thirteenth HIPAA Right of Access Initiative Investigation Results in Primary Care Provider Paying $36,000 to OCR

Posted: 12/28/2020
Industries: Health Care | HIPAA / Health Information Privacy and Security

On December 22, 2020, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) announced a settlement of a thirteenth enforcement action under its HIPAA Right of Access Initiative (the “Initiative”). The Initiative began in 2019 and is an OCR enforcement priority to support an individual’s right to timely and easy access to their health information at a reasonable cost under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. In 2020, OCR has announced ten other settlements pursuant to the Initiative: against an Academic Medical Center, a psychiatric practice, an otolaryngologist, a neurology and pain management practice, St. Joseph’s Hospital and Medical Center, and five other health care providers.

In the most recent settlement, Peter Wrobel, M.D., P.C. d/b/a Elite Primary Care (“Elite”) agreed to pay $36,000 and take corrective actions to resolve a potential violation of the HIPAA Privacy Rule’s right of access standard. Elite provides primary care services in Georgia.

In April 2019, OCR received a records access complaint from an individual alleging that Elite failed to respond to the complainant’s request for access to his medical records. OCR provided technical assistance to Elite on the HIPAA Privacy Rule’s access provision and advised Elite to review the facts of the request for access and provide the requested documents promptly if appropriate. OCR subsequently closed the complaint. In October 2019, OCR received a second complaint stating that Elite continued to deny the complainant’s right to access his medical records. OCR opened an investigation and determined that Elite’s failure to provide the requested materials was a potential HIPAA violation. Elite did not provide the complainant with the requested records until May 2020.

In addition to the monetary settlement, Elite entered into a corrective action plan (“CAP”). The CAP did not include an admission of liability. Under the CAP, Elite will be subject to two (2) years of monitoring and must do each of the following:

  • Develop, maintain, and revise its written HIPAA right of access policies and procedures, to be submitted to HHS for review and approval;
  • Distribute HHS-approved policies and procedures to members of Elite’s workforce;
  • Ensure policies and procedures include minimum content requirements set forth in the CAP;
  • Submit for HHS review revised training materials and, upon receiving HHS’ approval, train Elite workforce members using the revised training materials; and
  • Report to HHS any workforce member who materially fails to comply with the revised policies and procedures described above.

Elite’s settlement and CAP and the twelve previous settlements (including ten others in 2020), are reminders to all HIPAA covered entities of the importance of complying with HIPAA’s right of access standard or potentially face OCR investigation. As the new year approaches, covered entities should review their HIPAA policies and procedures to ensure they are providing individuals with prompt and complete medical records at a reasonable cost when requested, and HIPAA privacy and security issues generally.

Saul Ewing Arnstein & Lehr attorneys regularly counsel and assist covered entities, including health care providers, with HIPAA compliance issues. For more information relating to Saul Ewing Arnstein & Lehr’s HIPAA practice, please contact the authors or the Saul Ewing Arnstein & Lehr attorney with whom you are regularly in contact.