The other four cases in which the right of access enforcement continued involved more egregious behavior. In one, the provider failed to provide the patient access to inspect AND access a copy of records. The provider was hit with a $15,000 fine and a two-year corrective action plan (CAP), under which the provider must develop Privacy Rule policies and procedures, and train employees on them.
Beth Israel Lahey Health Behavioral Services (“BILHBS”), the target of the third, $70,000 fine, failed to timely provide a woman who had been appointed as the personal representative of her father’s estate with her father’s medical records, taking almost a whole year to deliver the records in full.
Two-employee practice Patricia King MD & Associates (“King MD”) took two times to get HIPAA right. On October 18, 2018, OCR received a complaint alleging Patricia King MD & Associates failed to provide an individual with access to her protected health information. OCR, instead of issuing a fine, provided this psychiatry practice with technical assistance regarding the right of access provision. The help was for naught, as in February of 2019, OCR received a second complaint about continuing noncompliance. After investigation, OCR fined King MD $3,500 and imposed a two-year corrective action plan. The OCR 2020 CAP requires King MD to implement the policies and procedures that were the subject of the technical assistance.
In another case, a father who requested his minor son’s medical records from Wise Psychiatry PC gave Wise all of the information it needed to process a November 2017 request, to which Wise did not respond until May of 2019 – only after the father complained to OCR. As a result of OCR’s investigation, Wise Psychiatry sent the complainant a copy of his son’s PHI via certified mail on May 30, 2019. The year-and-a-half delay’s price tag: a $10,000 fine and corrective action plan.
What Did the Fines Have in Common?
The five fines shared commonalities with each other, and with the six additional right of access fines issued before year’s end. In each instance, the provider that was fined was a relatively small shop. The fine that was issued was relatively small – no fine exceeded $200,000. Of course, some of the fines differed from each other in a few particulars – some practices were GPs, some orthopedic, some psychiatric, and the fines were issued to practices as far west as California and as far east as New York (which earned the distinction of “state having the most OCR 2020 fines”).
What the OCR 2020 right of access fines ultimately share in common is that they are evidence that OCR is making good on its promise to enforce the right of access initiative. Providers who ignore or refuse to respond to patient requests are subject not only to onerous corrective action plans and fines, but to negative publicity stemming from being prominently placed on OCR’s website.