HHS Resolution Agreement: Korunda Medical, LLC (Dec. 11, 2019); HHS News Release (Dec. 12, 2019)
HHS’s Office for Civil Rights (OCR) has announced an $85,000 settlement with a HIPAA covered entity to resolve alleged violations of an individual’s right to access protected health information (PHI). According to the news release, OCR received a complaint alleging that, despite repeated requests, the covered entity failed to timely forward a patient’s medical records to a third party designated by the patient, failed to furnish the records in the requested electronic format, and charged more than the reasonable cost-based fees allowed under HIPAA. Although OCR provided the covered entity with technical assistance and closed the complaint, the covered entity failed to furnish the requested records, resulting in another complaint to OCR. Following OCR’s second intervention, the records were furnished without charge in the requested format. OCR determined that the covered entity was out of compliance with HIPAA’s access right from April 22 to May 12, 2019.
In addition to the settlement payment, the covered entity agreed to a corrective action plan (CAP). Among other requirements, the covered entity must revise its policies and procedures to comply with the HIPAA privacy rule’s access provisions and describe its methods for calculating a reasonable cost-based fee for access to PHI. The covered entity’s workforce training materials must also be revised to reflect the access requirements, subject to HHS’s review and approval, and the revised materials must be used to train workforce members by specified deadlines. At 90-day intervals for one year following the CAP’s effective date, the covered entity must notify HHS of all individual access requests and provide specified information about the covered entity’s disposition of the requests.
EBIA Comment: OCR’s news release indicates that this is the second settlement stemming from a right of access enforcement initiative announced in 2019. Because OCR has released extensive guidance on individuals’ access rights (see our Checkpoint article), it’s no surprise to see enforcement activity in this area. Although the dollar amount of the settlement may be considered modest, keep in mind that only one individual was affected by this violation and for only 20 days (resulting in a penalty of $4,250 per day). Another lesson from this settlement is the importance of heeding technical assistance from OCR. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XXVII.B (“Right to Access PHI in Designated Record Set”). You may also be interested in our webinar “Nuts and Bolts of HIPAA Uses and Disclosures” (recorded on 7/25/19).
Contributing Editors: EBIA Staff.