OCR Settles Five Privacy Rule Violations

In September of 2020, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced that it settled HIPAA Privacy Rule right of access violations with five separate healthcare entities. The total settlement with all five organizations amounts to $136,500. In each instance, the healthcare provider was fined, and ended up settling with OCR, for its failure to provide patients with timely access to their medical records. The five HIPAA Privacy Rule violations are listed below.

Privacy Rule Violations: Housing Works, Inc.

Housing Works, Inc. (HWI), a New York City non-profit organization, provides healthcare services to individuals living with and affected by HIV/AIDS. On August 13, 2019, OCR received a complaint from a patient, alleging that HWI had not provided him with a timely copy of his medical records. After investigation, OCR concluded that HWI failed to provide the patient with timely access to his records. To settle the HIPAA Privacy Rule violations, Housing Works Inc. agreed to pay $38,000 to OCR and to adopt a corrective action plan. Under the corrective action plan (CAP), HWI has agreed to review and revise its policies and procedures for individual access to PHI, and to provide privacy training to its workforce on individual access to PHI.

Privacy Rule Violations: All Inclusive Medical Services, Inc.

All Inclusive Medical Services, Inc. (AIMS), a California multi-specialty family medical clinic providing pain management and rehabilitation services, was the subject of a April 2018 OCR complaint brought by a patient, who claimed AIMS denied her requests to inspect and receive a copy of her medical records. Upon investigating the complaint, HHS concluded that AIMS failed to provide access to, and failed to provide a copy of, the PHI of the patient. The investigation prompted AIMS to send the medical records two and one half years later, in August of 2020. To avoid a fine for Privacy Rule violations, AIMS agreed to pay $15,000 to OCR. AIMS also agreed to adopt a corrective action plan (CAP).

Privacy Rule Violations: Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services (BILHBS) has agreed to pay $70,000 to OCR and to adopt a corrective action plan to settle a potential violation of the HIPAA Privacy Rule’s right of access provision. BILHBS, the largest network of mental health and substance use disorder services in East Massachusetts, was the subject of an April 2019 complaint. In the complaint, a personal representative alleged that BILHB failed to respond to a February 2019 request by that representative. After an OCR investigation, BILHBS provided the information, six months later, in October of 2019. 

Privacy Rule Violations: King MD

King MD, a psychiatric services provider, was the subject of an October 2018 OCR complaint. The complainant alleged that King MD failed to respond to her August 2018 request for access to her medical records. After receiving the complaint, OCR provided King MD with technical assistance on the right to access requirements, and closed the complaint. However, in February of 2019, OCR received a second complaint, in which the complainant alleged that King MD had still failed to provide her with access to her records. OCR again investigated, determining that the failure to provide the records likely violated the HIPAA right of access standard. Finally, King MD provided the patient with her records in July of 2020. King MD agreed to pay $3,500 to OCR and to adopt a corrective action plan to settle this HIPAA violation.

Wise Psychiatry, PC

Wise Psychiatry, PC (Wise Psychiatry) entered into a $10,000 settlement and CAP with OCR, to settle a potential right of access violation. Wise provides psychiatric services in Colorado. In February of 2018, OCR received a complaint alleging that Wise failed to provide a personal representative with access to his minor son’s medical records. The access was requested back in November of 2017. Even after OCR provided Wise with technical assistance on the right of access requirement, Wise failed to provide the records. OCR, upon investigation, concluded that Wise failed to provide the records, and that this failure likely violated the right of access standard. In May of 2019, Wise finally provided the personal information. The corrective action plan requires Wise to distribute and train its workforce on Privacy Rule policies and procedures. 

What Do These Privacy Rule Violations Have in Common?

The total settlement money paid to OCR by the five healthcare providers amounts to $136,500. In each of the five cases, the providers, both large and small, and across different specialties,  failed to take its Privacy Rule obligations seriously. As a result, patients, without being given timely access to their own medical information, were impeded in their ability to make their own healthcare decisions.