Another Fine Tied to Patient Access to Records AnnouncedThis Is Second Case Since OCR Launched Initiative in April
For the second time in recent months, federal regulators have slapped a healthcare provider with a HIPAA financial settlement in a case involving patients' rights to access their health information.
The Department of Health and Human Services' Office for Civil Rights said Thursday it signed a $85,000 settlement with Korunda Medical, a Naples, Florida-based company that provides comprehensive primary care and interventional pain management to approximately 2,000 patients annually.
The HIPAA rules generally require healthcare providers to provide medical records within 30 days of the request in the format requested by the patient, and providers can only charge a reasonable cost-based fee.
OCR says that in March 2019, it received a complaint that Korunda failed to forward a patient's medical records in electronic format to a third party despite repeated requests.
"Not only did Korunda fail to timely provide the records to the third party, but Korunda also failed to provide them in the requested electronic format and charged more than the reasonably cost-based fees allowed under HIPAA," OCR says.
OCR says it initially provided Korunda with technical assistance on how to correct these matters and closed the complaint. "Despite OCR's assistance, Korunda continued to fail to provide the requested records, resulting in another complaint to OCR. As a result of OCR's second intervention, the requested records were provided for free in May 2019, and in the format requested," the HIPAA enforcement agency says.
"For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia," says Roger Severino, OCR director, in the statement. "We hope our shift to the imposition of corrective actions and settlements under our right of access initiative will finally wake up healthcare providers to their obligations under the law," he says.
OCR did not reveal the records fee Korunda initially charged the patient in the case. Korunda Medical did not immediately respond to Information Security Media Group's request for comment on the settlement.
The enforcement action against Korunda follows a similar $85,000 HIPAA settlement in September with another Florida healthcare entity, Bayfront Health St. Petersburg. That was the agency's first enforcement action in its new "HIPAA right of access initiative" launched in April (see HHS Lowers Some HIPAA Fines).
"This is an important issue and indicative of the larger, national failure to comply with HIPAA privacy regulations that endangers medical identity and patient safety," notes independent HIPAA attorney Paul Hales. "The Korunda settlement, following on the heels of the Bayfront Health St. Petersburg settlement, is extremely important. It's another shot across the bows of all covered entities."
Compliance with the HIPAA right of access mandate has been an ongoing problem in the healthcare sector, some observers say.
"Failure to provide access to PHI is a well-known, widespread violation of individual rights guaranteed by HIPAA," Hales notes. "OCR's repeated warnings, internet-based education and guidance clearly have not convinced covered entities to follow correct right of access procedures. OCR now is using its enforcement power to make covered entities pay attention."
"OCR is not just investigating cases involving delays in getting patients their records - they are looking at all aspects of the right of access."
—Deven McGraw, Ciitizen
Privacy attorney Deven McGraw, chief regulatory officer at Ciitizen, a consumer health technology company that is building a platform to help provide patients better control of their health records, offers a similar assessment.
"OCR is not just investigating cases involving delays in getting patients their records - they are looking at all aspects of the right of access, including whether any fees charged were reasonable and whether the patient's requested format - electronic - and destination - designated third party- were honored," she tells ISMG.
Corrective Action Plan
In addition to paying a financial settlement, Korunda's resolution agreement with OCR includes a corrective action plan in which the healthcare provider has agreed to:
- Review and revise its policies and procedures for individual access to protected health information, including methods for calculating a reasonable cost-based fee for access to PHI.
- Provide its workforce with privacy training on individual access to PHI.
- Submit to HHS a list of requests for access to PHI it has received and all related details, plus information on whether it denied any requests.
More to Come
Privacy attorney Kirk Nahra of the law firm WilmerHale predicts that OCR will announce similar settlements regarding access to records in the year ahead.
Pointing to the details in the Korunda case, he notes: "Companies should realize that, in addition to their regular obligations, they should seldom ignore direct instructions from OCR about what is required by the HIPAA rules."
McGraw tells ISMG that she's impressed with how quickly OCR is getting right of access complaint cases resolved. "It shows that this enforcement initiative is a major focus for the office, and they are actively using their enforcement authorities to try to improve compliance with the right of access across the board," she says.
The agency's very first HIPAA civil monetary penalty case in 2011 revolved around a healthcare provider's failure to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators.
OCR levied a $4.3 million fine against Cignet Health of Prince George's County, Maryland. But OCR later confirmed that the fine was never collected because Cignet eventually filed for bankruptcy.
The settlement with Korunda is OCR's eighth HIPAA enforcement action so far in 2019. That include six settlements and two civil monetary penalty cases - containing a combined total of about $13 million in fines.
Korunda's settlement is OCR's second HIPAA enforcement action so far in December. Earlier this month, OCR announced a $2.2 million settlement with Norfolk, Va.-based Sentara Hospitals in a case involving improperly reporting a breach and lacking a business associate agreement.