A small Florida primary care and pain management practice went from receiving technical assistance to paying a $85,000 financial penalty in just nine months, a head-spinning development that should serve as a warning to HIPAA covered entities (CEs) to get their records access policies and procedures down pat—now.
On Dec. 12, 2019, the HHS Office for Civil Rights (OCR) announced an agreement with Korunda Medical LLC, which has five locations based around Naples, Florida. It cares for some 2,000 patients, according to OCR. Dr. Zdenko Korunda, medical director of the practice, signed the settlement agreement on Dec. 6, 2019.
In its announcement, OCR noted that, earlier in 2019, the agency launched an initiative to “vigorously enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice,” as provided for under the revised privacy rule.
Korunda is the second organization to pay a penalty for allegedly failing to comply with access requirements. The first organization is also in Florida—Bayfront Health Saint Petersburg—and it also paid $85,000 and accepted a one-year corrective action plan (CAP) to put its regulatory troubles behind it. But by several measures, noncompliance remains widespread, and at least one records firm that represents patients says that, even with two settlements, OCR needs to do more.