Electronic Healthcare Records , Governance & Risk Management , HIPAA/HITECH

HHS Issues Another 'Right of Access' Settlement

Second-Largest Fine in String of Patient Records Access Cases
HHS Issues Another 'Right of Access' Settlement

In the tenth HIPAA enforcement action in recent weeks, federal regulators have announced a $100,000 settlement in yet another case involving failure to provide a patient with timely access to their health records.

See Also: OnDemand | Making the Connection Between Cybersecurity and Patient Care

In a statement Friday, the Department of Health and Human Services’ Office for Civil Rights says its settlement with NY Spine Medicine includes a corrective action plan that must be implemented by the private medical practice, which specializes in neurology and pain management. The practice has offices in New York and Miami Beach.

The case is OCR’s ninth “right of access” settlement since launching an initiative last year to support individuals' rights to have timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.

On Wednesday, OCR issued its largest right of access enforcement action to date - a $160,000 monetary settlement and corrective action plan with Phoenix-based Dignity Health, which does business as St. Joseph's Hospital and Medical Center (see: Biggest 'Right to Access Records' Penalty Announced).

Last month, OCR announced five other settlements ranging from $3,500 to $70,000 (see: Fines Tied to Failure to Provide Patients With Records).

And last fall, OCR unveiled its first two settlements in patient right of access cases - each with an $85,000 penalty.

The Latest Case

The resolution agreement in the NY Spine case notes that, in July 2019, OCR received a complaint from an individual alleging that, beginning in June 2019, she made multiple requests to the practice for a copy of her medical records.

NY Spine provided some of the records, but did not provide the diagnostic films requested, the agency notes.

“OCR initiated an investigation and determined that NY Spine’s failure to provide timely access to all of the requested medical records was a potential violation of the right of access standard,” OCR says. As a result of OCR’s investigation, the patient received all of the requested medical records this month.

“No one should have to wait over a year to get copies of their medical records,” says Roger Severino, OCR director. “HIPAA entitles patients to timely access to their records, and we will continue our stepped-up enforcement of the right of access until covered entities get the message.”

Corrective Measures

Under the settlement, NY Spine has agreed to take a number of corrective actions, including:

  • Developing and implementing written policies and procedures to comply with the federal standards that govern the privacy of individually identifiable health information, including patient right of access to records;
  • Distributing the policies and procedures to all workforce members and relevant business associates;
  • Providing training to all workforce members who are involved in receiving or fulfilling records access requests.

Other Settlements

In addition to the recent cluster of right of access cases, OCR last month issued three multimillion-dollar HIPAA settlements following breaches involving hacking incidents.

The largest of those - a $6.8 million settlement with Premera Blue Cross - was issued last month in a case involving a 2014 breach that exposed information on 10.4 million individuals.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.