Last week, the Office for Civil Rights (OCR) announced its second enforcement action and settlement with a provider for failing to comply with HIPAA’s patient access requirements. Korunda Medical, LLC, a primary care and pain management practice in Florida, agreed to pay $85,000 and comply with a Corrective Action Plan (CAP) as a result of a patient’s complaint that it refused to provide the records in the requested electronic format and charged more than the reasonable, cost-based fee prescribed under HIPAA.
Korunda also apparently made the fatal mistake of ignoring OCR’s technical assistance. As I noted in connection with the $3 million resolution amount paid by a New York hospital system, when OCR offers technical assistance, the covered entity (or business associate) should follow it.
Payment of $85,000 may pale in comparison with payment of $3 million, but given the relative ease of complying with HIPAA’s patient access requirements, and added to the time and expense of responding to OCR’s investigation and negotiating the settlement agreement, it’s not an insignificant amount. In addition, compliance with the CAP will require additional expenditures of time and resources by Korunda. The CAP requires Korunda to submit the following to the U.S. Department of Health and Human Services (HHS):
* revised policies and procedures related to patient access that identify how Korunda calculates a reasonable, cost-based fee;
* training materials related to individual access rights, and then provide training to all workforce members;
* lists of requests for access (including date the request is received, the date the request is completed, the format requested, the format provided, the number of pages (if paper), the cost charged, including postage, as well as all documentation related to denials of requests)
* notification of any failure by a member of its workforce to comply with its access policies and procedures
* annual reports regarding the implementation of the CAP requirements
OCR has been focused on HIPAA’s access rights for the last few years. See here and here for posts from 2016 on this topic, and here for OCR’s first Resolution Agreement involving an access rights violation (also triggering an $85,000 settlement amount and similar CAP). Responding in a timely manner to patient access requests, providing the information in the format requested, not overcharging, and jumping on any technical assistance OCR sends your way are easy ways to avoid being the third example of, as OCR Director Severino put it,“bureaucratic inertia.”