The other four cases in which the right of access enforcement continued involved more egregious behavior. In one, the provider failed to provide the patient access to inspect AND access a copy of records. The provider was hit with a $15,000 fine and a two-year corrective action plan (CAP), under which the provider must develop Privacy Rule policies and procedures, and train employees on them.
Beth Israel Lahey Health Behavioral Services (“BILHBS”), the target of the third, $70,000 fine, failed to timely provide a woman who had been appointed as the personal representative of her father’s estate with her father’s medical records, taking almost a whole year to deliver the records in full.
Two-employee practice Patricia King MD & Associates (“King MD”) took two times to get HIPAA right. On October 18, 2018, OCR received a complaint alleging Patricia King MD & Associates failed to provide an individual with access to her protected health information. OCR, instead of issuing a fine, provided this psychiatry practice with technical assistance regarding the right of access provision. The help was for naught, as in February of 2019, OCR received a second complaint about continuing noncomp