On July 15, 2022, the Office for Civil Rights (OCR) announced their most recent batch of healthcare organizations penalized for impeding patients’ rights in regards to their medical records. These 11 new penalties raise the total number of organizations penalized for the 2019 Right of Access Initiative to 38.
So why is this significant?
This batch raises the total number of financial penalties imposed for HIPAA violations since 2008 to 122. Of those 122, 31% of financial penalties for HIPAA violations were directly attributable to the Right of Access Initiative.
With the surge in HIPAA penalties, now is a good time to review the goals of this initiative so your organization can avoid making the same mistakes.
The latest batch of enforcement actions brings the total number of financial penalties imposed under the HIPAA Right of Access enforcement initiative up to 38.
WHAT IS THE HIPAA RIGHT OF ACCESS INITIATIVE?
The Right of Access Initiative is a 2019 OCR declaration that set their focus on enforcing Privacy Rule regulations. More specifically, they want to ensure that patients can access their medical records without unreasonable cost or delay.
Need to refresh yourself on the Privacy Rule?
The number of organizations penalized for HIPAA violation continues to grow, so let’s cover some crucial details that will help you stay compliant and avoid steep fines.
HIPAA legally entitles patients to the timely release of most of their medical records, and covered entities must respond to each request for medical records within 30 days of submission. This deadline can be extended an additional 30 days one time with written notice with an expected completion date.
Covered entities may only charge reasonable, cost-based fees for the release of information to non-provider requestors. These fee limits vary from state to state and from locality to locality.
It can be difficult to accurately gauge the best price you can legally charge for the release of information, but ChartRequest makes it easy by automatically calculating the best price possible based on your location.
Parent can also request records on behalf of their minor children. Once the child turns 18, you may not disclose their PHI to their parents without authorization from the patient.
It’s also crucial to ensure that all authorization forms are valid before releasing records. You can read more about HIPAA authorization here.
THE LATEST PENALTIES
We believe that it’s important to learn from the mistakes of others, so let’s talk about the latest 11 Right of Access Initiative penalties.
1: ACPM Podiatry received a civil monetary penalty of $100,000 for total failure to release records.
2: Memorial Hermann Health System settled for $240,000 after failing to release records for 564 days after receiving a request.
3: Southwest Surgical Associates settled for $65,000 after failing to release records for 13 months after receiving a request.
4: Hillcrest Nursing and Rehabilitation settled for $55,000 after failing to release records for 7 months.
5: MelroseWakefield Healthcare settled for $55,000 after failing to release records to a patient’s representative for 4 months.
6: Erie County Medical Center Corporation settled for $50,000 after failing to release records to a patient’s representative for 4 months.
7: Fallbrook Family Health Center settled for $30,000 for an untimely delay of record release.
8: Associated Retina Specialists settled for $22,500 after failing to release records for 5 months.
9: Coastal Ear, Nose, and Throat settled for $20,000 after failing to release records for 5 months.
10: Lawrence Bell, Jr. D.D.S settled for $5,000 after failing to release records for more than 3 months.
11: Danbury Psychiatric Consultants settled for $3,500 after withholding records for 6 months due to the patient’s outstanding medical bill.
4 TIPS FOR PREVENTING SIMILAR PENALTIES
We understand that the release of information is complicated and stressful, but it’s crucial for providing quality care and protecting your organization.
1: Know your compliance officer. This is the person responsible for understanding regulatory requirements, and they can help you feel confident releasing medical records. If you don’t know who your compliance officer is, you should seek their contact information and introduce yourself.
2: Double-check all incoming authorization forms and outgoing medical records. Mistakes happen, but it’s your responsibility to minimize them. You should verify that authorization forms have all essential details filled and that outgoing records fulfill the minimum necessary standard outlined in the Privacy Rule.
This standard calls for covered entities to only release the minimum records necessary to completely fulfill a request. Make sure that no records with date ranges, treatments, or ailments outside those specifically requested are released.
3: Communicate with your requestors. Try to set their expectations early in the process and provide them with any major updates or problems.
We understand that transparency during the release of information can be extra burdensome, as are consistent calls for status updates. That’s why ChartRequest allows requestors to check the real-time status of requests 24/7.
4: Keep a release schedule. To ensure that no requests pass their release deadline, keep a calendar with dates marked to track initial request dates, deadlines, and extensions.
ChartRequest Self-Service users can alternatively sort requests in our centralized dashboard by status, date received, and more to help ensure no requests are forgotten. This is just one of the many ways our release of information and care coordination solution can revolutionize your medical record exchange process.