Hackensack Meridian Health Penalized $100K For Medical Records Right of Access Penalty

Hackensack Meridian Health Penalized $100K For Medical Records Right of Access Penalty
Judge with a gavel and money

Hackensack Meridian Health, West Caldwell Care Center, also known as Essex Residential Care, recently faced a $100,000 penalty for Right of Access failure.

HIPAA’s Right of Access standard dictates that healthcare providers must release protected health information to authorized requestors within a reasonable time. Unfortunately, physicians across the country struggle to quickly deliver medical data when needed, resulting in hefty fines from the Office of Civil Rights (OCR).

This article will unpack the details of this Right of Access violation. Use this information to ensure compliance in your healthcare facility and avoid penalties for the HIPAA Right of Access Initiative. Once you finish reading, contact ChartRequest to discover the #1 software and services solutions and improve your record retrieval workflow.

Hackensack Meridian Health, West Caldwell Care Center is a leading provider of modern nursing and post-acute care services in New Jersey. Locals recognize the facility for its high-quality care, earning a five-star rating from the Centers for Medicare & Medicaid Services.

With such a stellar reputation, the news of their violation shocked many. 

In 2020, a patient’s son reported Hackensack Meridian Health to the HHS’ Office for Civil Rights after attempting to access his mother’s medical records numerous times. The facility denied his initial request on April 19, 2020, because he did not provide adequate credentials for official authorization. Hackensack Meridian Health requires documents like a power of attorney or a medical proxy signed by the patient to verify a representative’s authority.

The son complied by sending proper documentation, only to receive radio silence from the facility. Hackensack Meridian Health failed to provide the requested information within HIPAA’s required 30-day timeframe.

Schedule a Demo

The Privacy Rule provides exceptions for delays in cases of “unforeseen circumstances.” However, Hackensack Meridian Health failed to provide any evidence of external issues that prevented them from meeting their obligations to the requestor.

Hackensack Meridian Health Presented a Mitigating Defense

In October 2020, OCR opened an official investigation. Hackensack Meridian Health admitted failing to deliver the requested records within the Privacy Rule’s required timeline. Only after OCR intervention did the healthcare facility provide a copy of the medical records in November 2020 — 161 days after the initial request. According to OCR, the time gap between the initial request and the final provision of the copy is “a significant period of time.”

Following the healthcare facility’s acknowledgment, OCR offered to settle the HIPAA violation informally. However, Hackensack Meridian Health rejected this proposal, citing that the penalty was too harsh and presented mitigating circumstances. 

Below are the following mitigating circumstances Hackensack Meridian Health’s legal team stated in its Letter of Opportunity:

  1. The staff provided a copy of the patient’s medical records to another facility where she transferred, not to the Complainant.
  2.  The Complainant and his mother were in a legal battle with Hackensack Meridian Health over unpaid care fees at the time of the initial request.
  3. Hackensack Meridian Health staff could not prioritize request follow-ups due to COVID-19 constraints.
  4. The Complainant emailed his request for medical records and filed a complaint with OCR just 30 days later — before the organization’s response deadline.

Hackensack Meridian Health’s attorney asserted that the civil monetary penalty (CMP) amounting to $100,000 is not applicable under 45 CFR § 160.412. He maintained that OCR should waive the penalty because the delay was not due to willful negligence.

OCR Remained Firm in Imposing the Civil Monetary Penalty

OCR’s decision to impose the civil monetary penalty remains despite the reasons Hackensack Meridian Health cited in its affirmative defense. OCR used the provisions under 45 CFR §160.408 to uphold the CMP.

Here are the factors OCR considered:

  1. Though the incident impacted solely the Complainant and his mother, Hackensack Meridian Health still failed to provide timely access to the requested medical records. This delay occurred between June 23, 2020, and December 1, 2020. Thus, OCR deems this issue a neutral factor, as mitigating and aggravating considerations cancel each other out.
  2. The delay did not harm the requestor. However, OCR does not overlook potential damages from Hackensack Meridian Health’s lack of action.
  3. The facility did not have a prior offense similar to the Right of Access violation. Nevertheless, this compliance history does not dismiss the validity of the complaint reported to OCR.
  4. Hackensack Meridian Health is financially capable of paying the $100,000 penalty.

The Office for Civil Rights categorized Hackensack Meridian Health’s violation as a Tier 2 breach. Penalties vary between $1,000 and $50,000 — capped at a maximum of $100,000 annually.

Impact on the Healthcare Industry

Hackensack Meridian Health is not the first (and likely not the last) organization to come under fire from OCR HIPAA enforcers. Healthcare professionals across the United States should look to this news as a warning for their own businesses: A single complaint filed to OCR could derail a company’s operations and cost thousands of dollars in mitigation.

With increased patient demands and the highest recorded medical chart requests in years, it’s crucial to invest in technology and record release policies that streamline care. Regardless of your healthcare facility’s size, you must comply with HIPAA year-round and promptly address record requests before they spiral out of control.

Avoid Violating HIPAA’s Right of Access With ChartRequest

Even first-time Right of Access violators can receive steep HIPAA fines, as in the case of Hackensack Meridian Health, a highly-rated nursing facility with no prior violations. The event emphasizes OCR’s commitment to proactively enforcing HIPAA regulations, especially those concerning patients’ access to medical records.

As a record custodian, you must have a reliable process for promptly fulfilling requests. ChartRequest is a powerful Release of Information solution that can significantly speed up the medical records request process while ensuring compliance with HIPAA regulations.

Don’t let a simple medical record request become a costly HIPAA violation — trust ChartRequest to help you maintain compliance while providing efficient and secure healthcare services. Additionally, our Full-Service partners are covered by our 5-day turnaround guarantee

Partner with ChartRequest to beat the 30-day deadline and avoid HIPAA Right of Access violation! Contact us for a comprehensive consultation today, and follow us on LinkedIn for more industry news.

Facebook
Twitter
LinkedIn

Want to Stay Updated?

Subscribe to our newsletter to learn:

  • Tips to Ensure Compliance
  • Strategies for ROI Success
  • Relevant Healthcare News

We respect your inbox, so we’ll only reach out to share high-quality content.