The HHS’ Office for Civil Rights (OCR) has revealed a settlement has been agreed with Ridgewood, NJ-based Village Plastic Surgery to resolve a potential breach of the HIPAA Right of Access provision of the HIPAA Privacy Rule. As per the terms of the settlement, Village Plastic Surgery will pay a $30,000 fine and will implement a corrective action plan that includes the creation of policies and processes covering patient medical record access requests. Village Plastic Surgery will also be monitored for HIPAA compliance by OCR for 24 months.
OCR initiated a HIPAA investigation into Village Plastic Surgery after having a complaint submitted by a patient of the practice on September 7, 2019. The patient had asked for a copy of the medical records stored by the plastic surgery practice but had not been given those records within the maximum time permitted by the HIPAA Privacy Rule. OCR looked into this and, during the course of its investigation, discovered that Village Plastic Surgery did not hand over the requested files to patient in question.
OCR investigators found that the delay in handing over the records, which was longer than the 30 allowed days for completing patient requests for their medical records, was in breach of the HIPAA Right of Access, as listed in 45 C.F.R. § 164.524. Due to OCR’s intervention, the patient was sent a copy of the requested records.
Acting OCR Director Robinsue Frohboese commented on the case saying: “OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner. Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”
This is the 18th financial penalty to be sanctioned by OCR to settle breaches of the HIPAA Right of Access under its Right of Access enforcement initiative that started towards the end of 2019. This is the 6th HIPAA penalty to be sanctioned in 2021, and the 5th to settle a HIPAA Right of Access breach.