OCR's New Initiative Pursues Enforcement of Patients' Right of Access under HIPAA
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is actively pursuing HIPAA enforcement actions pursuant to the Right of Access Initiative that OCR announced earlier this year. Under this initiative, OCR’s goal is to ensure that patients are receiving their medical records in a timely fashion and in their format of choice without being overcharged. Korunda Medical, LLC (Korunda), a Florida-based provider of comprehensive primary care and interventional pain management, is the second health care provider to have settled a HIPAA violation under this initiative.
OCR received a complaint about Korunda in March 2019 alleging that Korunda failed to promptly provide medical records to a third party even after the patient repeatedly requested them to do so. Additionally, Korunda charged the patient in excess of the allowable cost under HIPAA and failed to provide the records in an electronic format as requested by the patient. OCR stepped in to rectify the issue less than two weeks later and closed out the complaint by providing Korunda with technical assistance to help them comply with HIPAA. Korunda, however, still failed to provide the records, and the patient submitted another complaint to OCR. OCR then intervened for a second time – this time prompting an investigation into Korunda’s practice. The investigation led to Korunda providing the records to the patient free of charge in the requested format in May 2019, paying an $85,000 fine to HHS, and agreeing to implement a corrective action plan. The corrective action plan requires Korunda to, among other things, review and revise its policies, as necessary, to comply with access-related provisions under HIPAA, provide privacy training relating to a patient’s right of access to PHI, and report to HHS any denied requests for access.
In light of this initiative, health care providers should pay attention to this type of enforcement occurring within OCR. Providers may be more focused on complying with certain parts of HIPAA that are aimed at preventing the unauthorized use and disclosure of PHI and inadvertently overlook other important rights that are afforded to patients under the Privacy Rule. OCR’s initiative just commenced in 2019, and the agency has promised to “vigorously enforce” the patient’s right of access, as stated in HHS’ December 12th press release.