Two psychiatrists, two federally qualified health centers (including one that’s part of a housing nonprofit serving the homeless and AIDS patients) and a behavioral health practice are the latest HIPAA covered entities (CEs) to feel the wrath of the HHS Office for Civil Rights (OCR) for allegedly failing to provide patients or parents access to records in a timely manner. Payments from the five collectively total $136,500.
While four of these are among the smallest and least resource-rich of CEs nationwide, they weren’t the only ones OCR recently singled out for enforcement. The five were announced together Sept. 15, but later in the month OCR issued three more settlements—stemming from hacking-related breaches—and each of them was for more than $1 million (see related stories).,
OCR is now up to seven settlements related to thwarted access to medical records—it had two last year—and it isn’t done yet, RPP has learned. In a phone interview on Oct. 1, OCR Director Roger Severino told RPP that two more settlements over access are in the works, which he predicted would be out in “days instead of weeks.”
In response to RPP’s question as to why CEs aren’t complying, Severino said he thought this was, “in part, because they haven’t been made aware that there are actually consequences, but now they’re being made aware. That’s part of the message being sent through our enforcement initiatives. There have been plenty of warnings. There’s been plenty of education, and now it’s time to do enforcement to help induce compliance.”
Severino added that “it’s not the practice’s decision to make whether or not [the request] is important enough for them to ever get around to it. If it’s important to the patient, it should be important to the provider, as well.”
Asked why more settlements were necessary, Severino said OCR officials “don’t set a numerical target and say, ‘We’re done.’ What we do is, we enforce until we see a change that’s palpable in compliance, and hopefully we'll see the number of complaints go down with respect to the right of access. And that will be a very good signal that the industry is coming into greater compliance.”
OCR, Severino noted, has “historically had a mix” of enforcement actions against a variety of entities. He said that “the obligation is still the same” to provide records access, regardless of the entity’s size. As Severino pointed out, “when it comes to the right of access, it really isn’t all that complicated, as compared to some of the other technical requirements” under HIPAA.
Payments in the access cases range from $3,500 to 20 times that amount. The entities stretch from California to Colorado and New York, and as far south as Virginia; all agreed to either a one- or two-year corrective action plan (CAP) in addition to payments.
It is always worthwhile to review OCR’s enforcement actions in detail to learn how to sidestep the pitfalls that have gotten these CEs and business associates (BAs) in trouble. Agreements were signed over a period of time this year but were all released together. None of the organizations admitted liability. And one, a psychiatrist in Colorado, told RPP he had no knowledge of the record request at issue until OCR contacted him. 
Unlike some of the settlements that commonly relate to breaches and take years to finalize, these stem from fairly recent complaints; one was filed in 2017, and the others are from 2018 and last year. Only one of the four organizations is a repeat offender that was first offered help to comply by OCR. All of the others were subject to a settlement agreement for failing to properly handle a solitary request for records.