Once again, the Department of Health and Human Services proves that just because you’re a small practice, doesn’t mean you won’t get fined. The latest fine under the HIPAA Right of Access Initiative was issued to a sole practitioner mental health service provider.
In December 2017, a personal representative (father) filed a complaint against David Mente, MA, LPC, after Mente failed to provide him with the medical records of his three minor children. The Office for Civil Rights (OCR) provided technical assistance to the health provider and closed the incident. However, in April 2018, the father still had not received the requested records, so he filed a second complaint.
After launching an investigation, OCR determined that Mente potentially violated HIPAA, announcing on May 8, 2023, that it settled with Mente for $15,000. The settlement also requires Mente to meet the access request and implement a corrective action plan (CAP).
“Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer. “It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records. HIPAA regulated entities should be proactive and work to ensure patients and their representatives can access records.”
Step to Meeting the HIPAA Right of Access Rule
The fine issued in May 2023 is the 44th HIPAA fine under the HIPAA Right of Access Initiative, proving that OCR expects providers to take access requests seriously.
The following are steps you can take to ensure that you meet HIPAA right of access requirements:
- Provide patients with a Notice of Privacy Practices outlining their rights
- Provide patients or their personal representative requested records within thirty days of the request
- If an extension is applicable, and records cannot be provided within the thirty-day time frame, notify the patient and provide records within sixty days of the request
- Provide records in the format the patient requests them in (i.e., paper, CD, USB)
- Provide all information contained in the patient’s designated record set
- Do not overcharge for records requests (limited to a reasonable cost-based fee)
Prevent Fines with HIPAA Compliance
The best way to protect your practice from HIPAA fines is with compliance. HIPAA compliant practices understand their obligations to the law, including how to meet patient record requests.
Compliancy Group offers automated HIPAA compliance software that allows practices to meet HIPAA standards, document compliance, and maintain their efforts. Clients receive a complete HIPAA solution that includes policies and procedures, employee training, business associate agreements, and more.
The best part? Everything HIPAA requires is available from the compliance dashboard, and our Compliance Success Team guides you through it. Schedule a demo today!