Lessons Learned From 5 Right of Access Violations

Right of access violations can lead to costly fines, reputational damage, and other issues for healthcare organizations. They can also cause your law firm to experience undue delays during client record retrieval.

Following HIPAA rules is critical for every personal injury attorney working with healthcare organizations to build a case. When it comes to record retrievals, you must pay close attention to detail to avoid disclosing private information. Still, mistakes happen, and many practices feel the sting of HIPAA-enforced penalties every year.

Reviewing right of access standards is a proactive way to reduce your law firm’s risk of committing a harmful HIPAA violation. Our team at ChartRequest compiled a comprehensive list of real-world right of access mishaps in the healthcare sector.

But first, let’s examine the essential details of HIPAA and patients’ right to access their medical records.

What is HIPAA?

HIPAA provides the regulatory authority to monitor and enforce healthcare privacy and security standards in the United States. According to HIPAA regulations like the Privacy Rule and the Security Rule, covered entities and their business associates must adhere to strict rules related to protected health information (PHI).

HIPAA Privacy Rule

The HIPAA Privacy Rule establishes guidelines for protecting patients and their medical records. Nuances to the Privacy Rule — such as the Minimum Necessary Rule — protect sensitive data during disclosures. These reinforcing standards ensure that custodians only release the minimum amount of information to comply with a request or complete a task.

While the Privacy Rule primarily focuses on protecting patients’ identifiable information, it also enhances patients’ rights to access and review their medical information personally or via a third party.

According to the Privacy Rule, individuals and their authorized parties may:

Review and obtain copies of their own medical records and other such PHI. HIPAA requires healthcare providers to release medical records within 30 days of receiving a request, and state laws may include faster turnaround requirements.
Obtain documentation for medical records disclosures made with their PHI over the previous 6 years.
Submit a request to amend inaccurate or incomplete information within their medical records.
Place a complaint about the covered entity’s compliance with privacy policies, procedures, and the Privacy Rule.
Receive notice of privacy practices, including anticipated uses or disclosures that covered entities can make without patient authorization.
Request alternative means or location for receiving PHI.

While this rule allows patients to seek their own protected health information, there are limitations. These limitations include:

Psychotherapy notes
Information compiled for legal proceedings
Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access
Information held by certain laboratories

Covered entities are also responsible for declining to release information in cases where releasing PHI to an individual could harm them or others.

Your legal team can review the HIPAA Privacy Rule at 45 CFR Part 160 and Subparts A and E of Part 164.

HIPAA Security Rule

HIPAA also outlines regulations to protect patients’ electronic health records (EHR) during record requests and exchanges. Just as the Privacy Rule outlines the privacy of identifiable PHI, the Security Rule outlines how covered entities and business associates must protect PHI.

Examples of identifiable PHI include:

Names, birth dates, and addresses of the patient
Dates of medical treatment
Drug codes and treatment plans
Diagnoses
Social Security Numbers
Phone numbers
Billing information
And more

HIPAA protects this information by creating a comprehensive security protocol outline for covered entities. They achieve this broad task by breaking down the security requirements into three buckets:

Administrative Safeguards require business associates to sign a business associate agreement and comprehensively cover risk assessments, security management processes, and other policy-based requirements for protecting records.
Technical Safeguards cover the system requirements for digitally storing protected health information. These standards should be considered a baseline.
Physical Safeguards cover machines, paper records, and general facility protections, such as installing adequate locks.

These security regulations reduce the risk of electronic data breaches, insider attacks, and other forms of social engineering to access PHI. Benefits include:

These safety measures provide the following benefits:

Confidentiality: Patient confidentiality is critical to administering ethical and effective treatment. Legally, a healthcare provider does not have the right to access and disclose any information to unauthorized entities or individuals without consent except under specific circumstances.

Identity Security: Bad actors can exploit PHI to steal a patient’s identity. In 2021, hackers compromised nearly 45 million health documents around the world. These attacks resulted in stolen identities and ransoms.

Monitoring: Right of access rules improve custodians’ ability to track and monitor sensitive documents by restricting them to a small circle of authorized users.

You can read more about the Security Rule at 45 CFR 160, 162, and 164.

Standard HIPAA Right of Access Violation Penalties

The Office for Civil Rights (OCR) is a branch of the U.S. Department of Health and Human Services. It is responsible for investigating potential HIPAA violations and enforcing penalties under the law.

Right of access violations are so common in the healthcare and legal sectors that OCR passed the Right of Access Initiative to enforce the exchange of records.

During the OCR’s investigation, they will compile evidence that suggests intentional or unintentional wrongdoing and report its findings to the Department of Health and Human Services. The OCR may request documentation during its investigation and expects the utmost compliance.

If the OCR discovers a violation, they will enforce penalties based on a tiered model. Here are some of the penalties you may expect:

Corrective Action

The OCR may issue corrective action if it determines that a violation is small enough to mitigate before it causes damage. These actions may take the form of upgrading security policies and protocols, restricting a firm’s access to certain record transfer services, or issuing warnings.

Though corrective actions may seem lenient, they could significantly delay your law firm’s ability to access the information you need on time. It’s best to avoid these problems entirely by remaining compliant with HIPAA Privacy and Security Rules.

Civil Penalties

Civil penalties issued by the OCR usually consist of fines or other financial obligations toward mitigation. Here is what your law firm should know:

Accidental Violations: Accidental PHI disclosures may not be malicious. In these situations, the OCR may issue a monetary penalty of $100-$50,000 per violation. They may also demand an additional $25,000 for any subsequent violations.

Reasonable Cause: Carelessness may result in violations costing your firm between $1,000-$50,000. The OCR also declares that repeat violations can come with an annual maximum penalty of $100,000.

Willful Disclosures: Willful disclosures or neglect can result in $10,000-$50,000 worth of fines. The OCR may issue a $250,000 maximum penalty on top of subsequent violations.

Subsequent Violations: Failure to correct these violations after the OCR issues monetary penalties can result in a $1.5 million maximum penalty. The OCR may refer your organization for criminal investigation proceeding these violations.

Criminal Penalties

Sometimes, civil penalties are not enough to dissuade malicious or neglectful actors from releasing sensitive information. In this case, the OCR may refer the case to the Department of Justice (DOJ) for criminal investigation. Like civil penalties, criminal penalties are also dynamic according to the severity of the data leak.

For example, individuals who “knowingly” release PHI without consent or proper authorization may face up to a year in prison. Additionally, anyone who releases PHI under false pretenses could face five to ten years in prison. The severity of the sentence depends on whether the individual disclosed sensitive information for personal gain or malicious purposes.

Additionally, the HIPAA Breach Notification Rule requires disclosure of all breaches, from sending records to the wrong fax number to major data breaches.

Alternative Penalties

In some cases, a law firm or healthcare organization may lose its license to operate as a legitimate business. Furthermore, a serious PHI leak could result in detrimental reputational damage if the public catches wind of the offense.

Depending on the situation, repairing a practice’s credibility after these disclosures can be challenging, if not impossible.

5 Examples of Real-Life Right of Access Violations for Your Law Firm To Consider

Analyzing hypothetical situations is a practical thought experiment when determining how to avoid Right of Access violations. Still, it’s worth exploring some of the recent, real-world scenarios that many healthcare and legal organizations experienced:

ACPM Podiatry

In 2022, the OCR found that ACPM Podiatry offices in Peoria and Canton, IL, did not provide a former patient with their requested PHI within a reasonable timeframe. As a result, the organization had to pay a civil money penalty of $100,000 in restitution.

Memorial Hermann Health System

In 2017, law enforcement arrested a patient using a fake Social Security card at Memorial Hermann Health System. However, HIPAA fined the hospital for releasing the patient’s name. Although the patient’s identity became public through police records later, the facility did not have the right to disclose that information.

Memorial Hermann Health System settled with a $2.4 million fine.

Coastal ENT

Coastal Ear, Nose, and Throat failed to provide a patient with their PHI records in January 2021. The delay placed the facility in violation of the Right of Access standard. The Department of Health and Human Services drafted a resolution agreement and corrective action plan to mitigate the violation.

You can view the entire report here.

Erie County Medical Center Corporation

The OCR recorded a HIPAA violation from the Erie County Medical Center Corporation in 2022. The facility failed to provide a complete copy of a patient’s medical records on time. Erie County Medical Center Corporation agreed to comply with corrective actions and paid an additional $50,000 in settlement fees.

This example emphasizes the need for health providers to transfer complete documents when requested.

Fallbrook Family Health Center

Fallbrook Family Health Center paid a $30,000 settlement after failing to provide patients with access to their medical records. This example further highlights how easy it can be for healthcare organizations to violate a right of access without the means to transfer documents quickly.

How To Avoid Right of Access Violations

One way your law firm can avoid right of access violations — or other HIPAA-enforced penalties — is by investing in a reliable third-party release of information (ROI) service. These record management specialists can communicate with healthcare providers and other vendors for fast access to data. These companies typically offer encrypted software for high-volume requests and other intuitive dashboard features for monitoring your request.

As a personal injury attorney, you likely don’t have the time or resources to complete HIPAA-compliant record retrieval requests alone. Full-service companies like ChartRequest can do all the work for you, so your legal team doesn’t need to train on new software solutions.

5 Examples of Right of Access Violations

Now that you understand the steep consequences of HIPAA violations, review the following hypothetical situations to see them in action:

Hypothetical Right of Access Violation Example 1: The Hacker

Hackers breached an unsecured network in a law firm, giving them access to the practice’s record management system. Consequently, the hackers obtained the PHI from dozens of client medical charts.

In this situation, the law firm failed to comply with HIPAA’s Security Rule for best data encryption and access practices. The firm was paid thousands of dollars in fines for mitigation and additional losses in legal settlements.

Investing in risk analysis tools and secure digital infrastructures can lower your risk of exposing client PHI to bad actors. While every law firm should have a comprehensive cybersecurity policy, outsourcing record management and storage to a respected third-party organization may be a practical solution for many organizations.

Hypothetical Right of Access Violation Example 2: Internet Exposure

A paralegal mistakenly disclosed ten clients’ PHI over the internet, and the liable law firm did not notify these individuals for over four months. Once a victim caught wind of the problem, they contacted the authorities, and the OCR began to investigate the violation. The law firm owed thousands of dollars in fines for breaking the Breach Notification Rule.

Moreover, the firm lost many clients due to public outrage and complaints.

HIPAA covered entities like personal injury law firms. Therefore, these organizations must comply with HIPAA guidelines and regulations. In the case of an accidental PHI leak, the responsible party must notify affected parties within 60 days of the incident.

Hypothetical Right of Access Violation Example 3: The Insider Attack

A law firm fired a paralegal and did not update the passwords to its record management software. Consequently, the begrudged ex-employee accessed the software from an off-site location and leaked the electronic PHI of over 400 clients.

The law firm violated the HIPAA Privacy and Security Rules in this situation. The OCR found them liable for over $150,000 in fines.

The legal sector is particularly prone to insider attacks. It’s crucial to maintain control over who can access your electronic record management system in and out of the office. Monitoring clients’ PHI is the safest way to protect your firm from expensive HIPAA fines.

Hypothetical Right of Access Violation Example 4: Press Release

When reviewing their case, a personal injury law firm intentionally released a client’s PHI to the press. This reckless behavior cost the practice over $2 million in fines.

Your practice cannot release the PHI of clients without their affirmative consent. Moreover, it is important not to release details about a case — especially to the press — without the court’s approval.

Hypothetical Right of Access Violation Example 5: Misuse of Records

A law firm was unable to prevent an office worker from accessing and selling the PHI of over 50 clients to buyers on the dark web. This negligence cost the firm thousands of dollars in mitigation fees and resulted in the employee’s imprisonment for intentional misuse of PHI for personal gain.

Continually update your security protocols to prevent unauthorized breaches. To safeguard sensitive data, it may be worth setting up two-step verification processes. Additionally, notify the OCR whenever you suspect a breach to avoid any suspicion that the rest of your law firm was in on the leak.

Are you ready to streamline your law firm’s record retrieval process from a trusted third-party provider? ChartRequest is here to help with all your record request needs!

Contact our team today to explore which service option is right for you and your practice’s operations. We can guide you toward the resources you need to avoid expensive HIPAA violations.

Want to learn more about healthcare regulations, best practices, and more? Check out our other articles.