In late March of 2021, the Department of Health and Services (HHS) Office for Civil Rights (OCR) settled with New Jersey-based Village Plastic Surgery (VPS) for a potential violation of the HIPAA right of access rule. The $30,000 settlement requires VPS to undergo a two-year corrective plan (CAP). The details of the settlement are discussed below.

Village Plastic Surgery HIPAA Right of Access Rule Violation

HIPAA right of access rule violation

VPS, located in Ridgewood, New Jersey, provides cosmetic plastic surgery services. A patient of this small practice made a request to access her medical records in August of 2019. The patient did not receive the records. She filed a complaint with OCR in September of 2019. OCR concluded in its subsequent investigation that VPS had potentially violated the HIPAA Privacy Rule. 

The HIPAA Privacy Rule’s right of access standard requires providers to take action on access requests within 30 days of when the request is made (or within 60 days if an extension is applicable). As a result of OCR’s investigation, VPS sent the patient her requested records.

In lieu of being issued a civil monetary penalty (CMP), VPS chose to enter into a settlement agreement with OCR. The agreement requires VPS to pay $30,000 to OCR, and to submit to a two-year corrective action plan (CAP). The CAP requires VPS to review and revise policies and procedures for individual access to PHI. 

VPS must take the following actions:

  • VPS must review and revise its policies and procedures related to access to protected health information (PHI). The revised policies and procedures must identify VPS’s methods for calculating a reasonable, cost-based fee for access to PHI held in paper or electronic form. 
  • Once VPS makes the revisions, HHS will review them and recommend changes if necessary. After HHS receives the recommended changes, VPS has 30 calendar days to provide the revised policies and procedures to HHS for approval. The process of submission for revisions will continue until HHS approves the policies and procedures.
  • Within 30 days after receiving HHS’ final approval of revisions, VPS must implement and distribute the policies and procedures to its workforce. 

Once VPS distributes the policies and procedures, it must require a signed written or electronic initial compliance certification from all members of the workforce, stating that the workforce members have read, understand, and will abide by the privacy procedures.

In addition to policies and procedures, VPS must provide HHS with training materials regarding the right of access to PHI. Within 30 days of HHS’ approval of these materials, VPS must provide training to all workforce members on the right of access requirement. Each workforce member who attends training must certify, in written or electronic form, that he or she has received the training on the right of access requirement. The training certification must state the date on which the training was received. 

To make sure that VPS complies with the right of access requirement going forward, HHS will require VPS, every ninety days until the CAP is over, to submit a list of requests for access to PHI received by VPS, including the date the request was received, the date the request was answered, the format of the request, the number of pages (if provided in paper format), and the cost charged for access, excluding postage.  

Third Party Verification and Validation