On December 12, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its second “HIPAA Right of Access Initiative” settlement of alleged HIPAA violations.
The HIPAA Right of Access Initiative is a new effort in 2019 by OCR to monitor compliance with HIPAA requirements addressing patient rights to promptly access medical records, in a readily producible format, without being subject to excessive fees. OCR announced its first settlement under the Right of Access Initiative in September 2019 (see our analysis of that settlement here), and this settlement indicates a continued focus by OCR on HIPAA compliance by providers when responding to patient requests for records.
In this case, OCR entered into an $85,000 settlement with Korunda Medical, LLC (Korunda), a Florida-based primary care and pain management provider, after conducting an investigation which indicated that Korunda failed to provide a patient with timely access to protected health information in accordance with the Privacy Rule. According to the resolution agreement, Korunda’s alleged failure to comply with HIPAA’s right of access for individuals came after OCR had received a prior complaint and provided “technical assistance” to Korunda regarding the individual right of access under HIPAA. In addition to the monetary payment, OCR and Korunda entered into a one-year corrective action plan, under which Korunda is obligated review and revise its policies concerning access to medical records, provide workforce training on individual access rights, and submit a list of medical record access requests received by Korunda from individuals every 90 days to OCR after approval of its updated access policies.
This settlement reiterates the importance for covered entities and business associates to review their policies and procedures governing production of medical records in response to patient requests, and the importance of responding to patients in a timely manner. This settlement is also a warning to entities that receive technical assistance from OCR that the government is unlikely to overlook subsequent allegations of non-compliance following such assistance. Finally, it is interesting to note that the monetary settlement here – $85,000 – for alleged violations of HIPAA’s right of access is the same amount extracted by OCR in its first Right of Access Initiative settlement (despite the defendant in that case being a larger entity), suggesting that OCR may view that amount as a “floor” for resolution of potential violations under the HIPAA Right of Access Initiative.