The Department of Health and Human Services’ Office for Civil Rights has revealed its second enforcement action as part of its HIPAA Right of Access Initiative. Florida-based Korunda Medical has agreed to settle potential fines for the HIPAA Right of Access and will implement a corrective action plan and bring its policies and procedures in line with the obligations of the HIPAA Privacy Rule.
In March 2019, OCR was submitted with a complaint from a patient who claimed she had not been provided with a copy of her medical records in the requested electronic format despite filing repeated requests. The complainant claimed that Korunda Medical refused to send a digital copy of her medical records to a third party and was overcharging patients for supplying copies of their medical records. Under HIPAA, covered entities are only allowed to charge a reasonable, cost-based fee for providing access to patients’ protected health data.
The first complaint was submitted with OCR on March 6, 2019. On March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access and ended the complaint. Four days later, a second complaint was received which showed ongoing non-compliance with the HIPAA Right of Access. On May 8, 2019, OCR advised Korunda Medical that a compliance investigation had been initiated. Due to OCR’s intervention, the complainant was given a copy of her medical records free of charge. Ongoing noncompliance with the HIPAA Right of Access lead to a $85,000 financial penalty for Korunda Medical.
OCR Director, Roger Severino said: “For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law”.
The HIPAA Right of Action Initiative is a HIPAA enforcement drive to see to it that HIPAA-covered entities are supplying patients with copies of their medical records in a timely fashion, in the format of their choosing, and without being charged too much. The first enforcement action under this initiative was revealed in September 2019. Bayfront Health St Petersburg was also required to pay a financial penalty of $85,000 to make up for HIPAA Right of Access failures.
This is the ninth HIPAA enforcement action recorded in 2019. OCR has settled 8 HIPAA breach cases this year and has applied a single civil monetary penalty, with the fines ranging from $10,000 to $3 million. So far in 2019, $12,209,000 has been paid to OCR to make up for HIPAA violations.