Providers & Health Plans Warned To Timely Deliver Requested Records By $100,000 HIPAA Penalty

November 21, 2024

The $100,000 penalty paid by a mental health facility alerts health care providers, health plans and health care clearinghouses (“covered entities”) to the perils of failing to timely deliver health records access as required by the Health Insurance Portability and Accountability Act (“HIPAA”).

The $100,000 civil monetary penalty against California mental health provider Rio Hondo Community Mental Health Center (“Rio Hondo”) announced by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) on October 19, 202 is the fifty-first OCR enforcement action under its HIPAA Right of Access enforcement initiative.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules’ right of access provisions generally require covered entities to provide individuals access to their protected health information within 30 days, with the possibility of one 30-day extension and prohibits charging more than a reasonable, cost-based fee for this access.

The penalty against Rio Hondo resolves an OCR investigation into Rio Hondo over a failure to provide a patient with timely access to their medical records. OCR enforces the right of access and other requirements of the HIPAA Privacy Rule.

OCR launched an investigation after receiving a complaint from a patient that Rio Hondo did not provide timely access to their medical records, despite multiple requests in writing and by telephone.

OCR’s investigation found that it took nearly seven months from the time the patient first requested the records until Rio Hondo provided them.

The patient made multiple telephone calls in July and August 2020, regarding the status of her request, but still did not receive the requested records until it produced the records in response to the investigation.

The late delivery of the records access did not end the enforcement action. Based on the facts, OCR found that Rio Hondo failed to take timely action in response to the patient’s right of access in accordance with the HIPAA Privacy Rule.

In July 2024, OCR issued a Notice of Proposed Determination to impose a $100,000 civil monetary penalty. After Rio Hondo waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination, OCR issued a Notice of Final Determination imposing the penalty.

OCR’s announcement of the penalty includes a strong warning to other covered entities to comply with HIPAA’s access requirements. It quotes OCR Director Melanie Fontes Rainer. As stating:

Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority. Healthcare providers are legally obligated to provide patients with timely access to their medical records. If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.” 

With OCR promising to continue to prioritize enforcement, all covered entities should take documented steps to confirm the adequacy of their existing processes to ensure compliance with OCR’s Right of Access guidance and other applicable federal and state legal and ethical requirements like the Employee Retirement Income Security Act (“ERISA”) claims and appeals and Patient Protection and Affordable Care Act (“ACA”) adverse benefit procedures applicable to health plans and State ethical and statutory medical records delivery requirements applicable to providers. Health care providers also should consider including processes for tracking and monitoring access requests in these processes that provide for review every 30 days.Covered entities should keep records of these efforts for the six-year period required by HIPAA’s record retention rules.

Covered entities that receive follow up access requests or otherwise discover a potential failure to timely provide access should engage a HIPAA knowledgeable attorney for help and advice. Obviously, covered entities should correct any oversight promptly by delivering the records access. However legal counsel can assist by helping the covered entity assess if a violation actually occurred, avoid added violations or inflammatory communications or actions that could enhance exposures to complaints or penalties and suggest actions to help mitigate risks of an OCR investigation and penalties. For instance, past enforcement actions suggest a covered entity should consider foregoing requiring payment of charges HIPAA otherwise might allow for the records access to avoid further delay of access that could heighten penalty exposures. Covered entities also should document their delivery of access and their investigation and corrective actions addressing the source of the compliance failure.

The author of this update, Cynthia Marcotte Stamer has worked extensively with covered entities and business associates on these and other HIPAA and other compliance and risk management. If you have questions or need advice or help evaluating or addressing your HIPAA compliance or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation.. 

Author of numerous highly regarded works on PBM and other health plan contracting and design,  Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with HIPAA and other legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. 

As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Author of many highly regarded compliance, training and other resources on HIPAA and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership on HIPAA and many other health care, health plan and other health industry matters. 

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Health Care | Tagged: , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

High Dollar Civil Monetary Penalties Warn HIPAA-Covered Heath Providers, Health Plans & Healthcare Clearinghouses To Ensure Timely Medical Record Access

August 5, 2024

The more than $560,000 in civil monetary penalties (“CMPs”) collected since March by the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) from three HIPAA-covered entities for failing to respond to medical record requests within 30 days as required by the Health Insurance Portability & Accountability Act (“HIPAA”) right of access rule (“Access Rule”) shows patients, their personal representatives and health care providers, health plans, health care clearinghouses (“Covered Entities”) the seriousness of OCR’s commitment to enforcement of the Access Rule.

On August 2, 2024, OCR announced emergency medical provider American Medical Response (“AMR”) paid a $115,200 civil monetary penalty (“AMR CMP”) for waiting 370 days before delivering medical records requested by a patient’s personal representative.  OCR’s AMR CMP announcement follows its April 1, 2024 announcement Hackensack Meridian Health, West Caldwell Care Center (“Hackensack Meridian Health”) paid a $100,000 CMP (“HMH CMP”) for waiting 161 days to provide medical records requested by a patient’s personal representative and March 29, 2024 announcement of its agreement to accept payment of $35,000 in satisfaction the previously assessed $250,000 CMP against Phoenix Healthcare LLC d/b/a Green County Care Center (“Phoenix”) for Access Rule violations.  With these three actions, OCR collected $565,000 in CMPs for Access Rule violations since March 29, 2024, and has announced a total of 49 high-dollar Access Rule CMP or settlement collections since announcing its Access Rule enforcement initiative in 2019.

OCR’s pursuit of CMPs in excess of $100,000 against each of these three entities for failing to respond to a single request for patient records makes clear OCR’s readiness to investigate and pursue big dollar penalties against Covered Entities for even a single failure to deliver documents to a requesting patient or personal representative.  In light of OCR’s clear commitment holding all Covered Entities accountable for Access Rule compliance, all Covered Entities should recognize the importance of timely responding to each access request in accordance with the Access Rule to avoid similar CMP exposure for their organizations.

HIPAA Right Of Access Rule

HIPAA’s Privacy Rule right of access (“Access Rule”) is part of the national standards that HIPAA Privacy, Security, and Breach Notification Rules (“Privacy Rule”) require that Covered Entities and their business associates meet for protecting to protect individuals’ protected health information (“PHI”), limit uses and disclosures of PHI, and give individuals the right to timely access and to obtain a copy of their PHI records and certain other rights.  Like other Privacy Rule violations, Access Rule violations can subject a Covered Entity or business associate to expensive HIPAA civil monetary penalties (“CMPs”).

The Access Rule codified in 45 C.F.R. 164.524 generally requires that a Covered Entity to respond to a request from an individual or its personal representative to access or for a copy of protected health information (“PHI”) in any records set of a Covered Entity or its business associate within 30 days of receipt of the individual’s request.  OCR Access Rule guidance makes clear OCR views this deadline as the maximum allowed period

The Covered Entity can respond to a right of access request by granting or denying the request in whole or in part, or if it is unable to provide the records within 30 days for a legitimate reason, the Access Rule allows the Covered Entity a one-time 30-day extension of the response timeframe by sending the requestor a written statement of the reasons for the delay and the date within the extended response deadline by which the Covered Entity will complete its action on the request. 45 C.F.R. § 164.524(b)(2).

The Access Rule also contains specific guidance governing the calculation of the allowable fee, if any, the Covered Entity can charge for providing the PHI to a reasonable cost-based fee calculated following the Access Rule.  It also sets forth other requirements about the manner and format in which the Covered Entity must deliver the PHI.

OCR is responsible for implementing the Privacy Rules and enforcing non-criminal violations of its requirements.  When OCR finds violations of the Access Rule or other HIPAA violations, HIPAA as amended by the HITECH Act,1 generally authorizes OCR to impose and collect a CMP determined based on the following penalty schedule, with adjustments for inflation:

  • A minimum of $100 for each violation where the Covered Entity or business associate did not know and, by exercising reasonable diligence, would not have known that it violated the HIPAA provision, provided the total amount of CMPs imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
  • A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000.
  • A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
  • A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.3 The adjusted amounts apply only to CMPs whose violations occurred after November 2, 2015.

$115,200 AMR CMP

According to the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) August 1, 2024 announcement of the AMR CMP, AMR paid OCR the $115,200 AMR CMP after OCR assessed the CMP in a Notice of Final Determination that AMR violated the Access Rule.

The Notice of Final Determination arose from an OCR investigation of a complaint made by an attorney (“the Patient’s Attorney”) on behalf of a patient transported by AMR alleging that AMR failed to provide a patient with timely access to its medical records after many failed attempts by the patient to obtain the records.

According to the Proposed Notice of Determination, the Patient’s Attorney sent AMR a fax on the patient’s behalf on October 31. 2018 asking for copies of a patient’s medical records including, “all billing records pertaining to treatment rendered for 9/15/2015 injury date; Patient Balance Verification; all medical records pertaining to treatment rendered for 9/15/2015 injury date” in electronic format to the patient’s attorney (“access request”). The access request was in writing, signed by the Patient’s Attorney, that clearly identified the Patient’s Attorney and where to send the copy of the Patient’s Attorney’s PHI. The Patient’s Attorney received a fax transmission report reflecting that AMR received her request on October 31, 2018. Although AMR uses an electronic health record (EHR) for its medical records and maintains the Patient’s Attorney’s requested PHI in its HER, it did not respond to this request by November 30, 2018, the date 30 days from receipt.

On November 8, 2018, the Patient’s Attorney also mailed a copy of her October 31, 2018, access request to AMR’s Seattle, Washington office via certified mail and received confirmation of delivery on November 13, 2018 from the United States Postal Service. The Patient’s Attorney also subsequently sent two follow-up requests for the PHI records on January 24, 2019.

Although AMR’s electronic medical record confirmed AMR received these requests, AMR did not respond to the Patient’s Attorney’s request until March 1, 2019, 121 days after the initial request, when AMR sent the Patient’s Attorney an invoice requiring payment of an access fee before AMR would provide the requested records to Complainant.

On March 18, 2019, the Patient’s Attorney then sent AMR another follow-up letter that reiterated the Patient’s Attorney’s multiple access requests and advised AMR that if AMR did not send the PHI to the Patient’s Attorney electronically within seven days the Patient’s Attorney would file a complaint with OCR.  Since AMR failed to deliver the requested records in electronic format within the specified period, the Patient’s Attorney filed a complaint with OCR on July 29, 2019, alleging that AMR violated the Access Rule by failing to provide a copy of the patient’s PHI in response to the Patient’s Attorney’s multiple access requests.

OCR’s October, 2019 investigation found AMR repeatedly failed to timely respond to the patient’s access request even though AMR had procedures in place for processing individuals’ written access requests.

In response to OCR’s investigation, AMR sent the requested records to the Patient’s Attorney on November 5, 2019, 370 days after the Patient’s Attorney’s initial request.

In response to OCR’s investigation, AMR also amended its internal procedures to streamline and better track access requests. OCR notified AMR of the results of OCR’s investigation on August 3, 2021, and offered AMR an opportunity to resolve the matter informally.  Rather than accepting this offer, however, AMR responded to OCR through counsel on August 9, 2021, asking OCR to “reconsider its position” without providing a counteroffer or otherwise engaging in negotiations with OCR. While OCR did not disclose the terms of its proposed offer of resolution, acceptance of this offer presumably would have allowed AMR to resolve the charges for an amount less than the $115,200 CMP ultimately imposed.

OCR then sent an April 15, 2022 Letter of Opportunity (LOO) to AMR, which informed AMR that OCR’s investigation indicated that AMR violated HIPAA’s Access Rule and providing AMR with an opportunity to submit written evidence of mitigating factors and affirmative defenses to this violation as well as evidence to support a waiver of a CMP for violating the Access Rule.  OCR determined AMR’s May 16, 2022 response to the LOO did not support any affirmative defense to the charges or grounds for waiver of the CMP but weighed AMR’s LOO response alleging mitigating factors in determining the amount of the CMP.

Based on these factual findings, OCR sent AMER a Notice of Proposed Determination that announced OCR’s intent to impose the $155,200 AMR CMP for its violation of the Access Rule by failing to provide timely access to the Patient’s Attorney after receiving her lawful requests.

Finding the Reasonable Cause penalty tier applicable for purposes of determining the CMP for  AMR’s Access Rule violation from December 1, 2018, to February 28, 2019, OCR calculated the AMR CMP as follows: $39,680 CMP Calendar Year 2018 (31 days from 12/1/18-12/31/18 at $1,280 per day); plus           $75.520 CMP Calendar Year 2019 (59 days from 1/1/19 to 2//19, at $1,280 per day) = $115,200 Total CMP

While AMR argued that OCR should exercise its discretion and choose not to apply any CMPs because of “multiple mitigating factors, OCR determined AMR’s arguments factually inaccurate and not meriting change of the CMP assessment from the reasonable cause level. Accordingly, OCR refused to reduce the original $115,200 based on alleged mitigating factors. 

After AMR did not challenge the determinations of OCR in the Notice of Proposed Determination within the allowed period, OCR issued the Final Notice of Determination imposing the $115,200 AMR CMP and AMR paid that amount.

Since as early as 2016, OCR has made Access Rule enforcement a priority.  Along with its assessment of the AMR CMP, OCR’s commitment to continued Access Rule enforcement is demonstrated by the 48 other previously announced Access Rule enforcement actions through July 31, 2024. 

$100,000 Hackensack Meridian Health CMP

Before it collected the AMR CMP, on April 1, 2024, OCR already had announced its collection of a $100,000 CMP from a New Jersey skilled nursing facility for violating the Access Rule in April.

Essex Residential Care, LLC, doing business as Hackensack Meridian Health, West Caldwell Care Center (“HMH”) is a skilled nursing facility that provides long-term care and rehabilitation services.

In May 2020, OCR received a complaint alleging that HMH failed to provide a personal representative with access to his mother’s medical records even after HMH received sufficient documentation that the patient’s son who requested the records as his mother’s personal representative.

OCR found that HMH failed to respond timely to a HIPAA right of access request. In September 2023, OCR issued a Notice of Proposed Determination (“HMHPD”) seeking to impose the $100,000 civil money penalty. When HMH waived its right to a hearing and did not contest OCR’s findings, OCR finalized the Notice of Final  Determination imposing the $100,000 CMP.

The OCR investigation found that when Peter Lindsay originally requested copies of the medical records of his mother, Lois Lindsey (“mother”) from WCCC in an April 19, 2020 email, WCCC responded with an April 22, 2020 e-mail denial that requested Mr. Lindsay provide WCCC a copy of a power of attorney, medical proxy or similar document executed by the mother establishing that he was his mother’s personal representative. However, when WCCC still failed to deliver the requested medical records after Mr. Lindsey sent a copy of his mother’s power of attorney via May 23, 2020 e-mail, Mr. Lindsey complained to OCR.

After OCR notified WCCC on October 15, 2020, its investigation of the complaint, WCCC acknowledged that it failed to respond to the complainant’s request for his mother’s medical records within 30 days of receiving the complainant’s written request for the records but still did not deliver the records until December 1, 2020, 161 days after the complainant’s request.

By letter dated March 25, 2022, OCR informed WCCC its investigation found that WCCC failed to provide timely access to protected health information and offered WCCC an opportunity to settle this matter informally.  Although OCR’s letter encouraged WCCC to contact OCR no later than ten days after receipt of the letter, OCR received no response until WCCC responded via e-mail through its attorney on April 29, 2022, that WCCC disagreed with OCR’s proposed resolution, OCR received an email correspondence from the WCCC’s attorney stating WCCC’s disagreement with OCR’s proposed resolution.  OCR then responded by issuing a May 16, 2022 Letter of Opportunity (LOO) informing WCCC that OCR found preliminary indications of non-compliance and providing WCCC with an opportunity to submit written evidence of mitigating factors, affirmative defenses, or waiver factors for OCR’s consideration in determining the CMP amount.

In the June 15, 2022 response to the LOO sent by WCCC’s attorney, WCCC acknowledged receipt of both the April 19, 2020, medical record request and the power of attorney emailed on April 23, 2020.  WCCC also admitted that instead of providing Mr. Lindsay with the requested medical record, WCCC instead sent a copy of the mother’s medical records to another facility to which Ms. Lindsay was transferred. WCCC’s attorney admitted WCCC should have handled the request differently but indicated at the time of the original request, both Mr. Lindsey and his mother were parties to ongoing litigation with WCCC over non-payment for care, that WCCC also was struggling with the COVID-19 pandemic, that Mr. Lindsey filed his complaint with OCR exactly 30 days after his e-mailed request before WCCC’s response to the initial request was due and asserted several affirmative defenses it claimed excused WCCC’s failure to provide the medical documents. 

Based on the above findings of fact, OCR calculated the WCCC CMP at the reasonable cause not corrected tier for WCCC’s failure to provide the requested medical records from June 23, 2020, to December 1, 2020.

WCCC also asserted various affirmative defenses and a right of waiver to avoid or mitigate the amount of the WCCC CMP, all of which OCR found unpersuasive.

  • Regarding WCCC’s assertion that HIPAA barred imposition of a CMP in this case, as a matter of law, under the HIPAA affirmative defense for a violation not due to willful neglect and timely corrected, OCR determined that the affirmative defense did not apply as WCCC did not timely correct the violation.  
  • OCR also rejected WCCC’s assertion that imposition of a CMP under these circumstances would be arbitrary and capricious and violate the Administrative Procedure Act (the Patient’s AttorneyA). 
  • OCR likewise found rejected WCCC’s claim that OCR should waive any possible CMP because assessment of the CMP would be excessive as WCCC only failed to timely respond to a single request for records access, submitted amidine the midst of litigation with the requesting party during the COVID-19 pandemic and WCCC’s personnel mistakenly believed that an appropriate, timely response to the complainant’s medical record request had been made through the transfer of the patient to another facility.

After WCCC waived its right to challenge these OCR determinations in an administrative hearing, OCR issued the Notice of Final Determination on January 12, 2024, which OCR publicly announced  on April 1, 2024.

Phoenix CMP Settlement

OCR’s WCCC CMP announcement came only three days after OCR announced a settlement with Phoenix under which OCR accepted and collected $35,000.00 (“Settlement Amount”) from Phoenix in full satisfaction of a $250,000 CMP under a March 30, 2021 Notice of Final Determination issued against Phoenix for willful violation of the Access Rule. 

The Phoenix CMP and resulting settlement arose from OCR’s investigation of a right of access complaint filed against the Oklahoma multi-facility nursing care organization by a patient’s daughter in April 2019 that Phoenix would not provide the daughter, who serves as a personal representative, with a copy of her mother’s medical records. After Phoenix eventually sent the requested records 323 days after the request on January 30, 2020 and only after OCR attempts to get the records through technical assistance and other efforts, OCR notified Phoenix of its intention to impose a $250,000 civil money penalty (“Phoenix CMP”) against Phoenix for willful violation of the Access Rule along with violations of HIPAA’s business associate requirements. 

Rather than accede to OCR’s proposed imposition of the $250,000 Phoenix CMP, however, Phoenix chose to challenge the proposed Phoenix CMP to an administrative law judge (“ALJ”) in the Civil Remedies Division of the Departmental Appeals Board (“DAB”) of HHS. In Decision No. CR6232, the ALJ on February 16, 2023, upheld the Access Rule violations cited by OCR and OCR’s determinations that Phoenix acted with willful neglect in committing the violations, but reduced the Phoenix CMP amount from the $250,000 proposed by OCR to $75,000.

Despite the ALJ’s reduction of the Phoenix CMP, Phoenix then unsuccessfully challenged the ALJ’s determinations. On August 4, 2023, the HHS Departmental Appeals Board upheld the ALJ’s decision to uphold OCR’s determinations that Phoenix acted with willful neglect in violating the Access Rule and imposition of the reduced $75,000 CMP.

When Phoenix threatened to appeal this determination in federal court and presented evidence of “financial hardship, however, OCR agreed “as a compromise based on the unique facts and circumstances of this matter,” to accept in full satisfaction of the $75,000 CMP assessed due and owing by Phoenix under ALJ Decision affirmed by DAB Decision No. 3105 and DAB Decisions  No. CR6232 in return for Phoenix’s payment of the $35,000 Settlement Amount and Phoenix’s agreement not to further challenge OCR’s assessment and to revise its HIPAA Policies and Procedures to address the Access Rule and business associate agreement requirements, training, and other compliance.

Right Of Access Enforcement Takeaways

OCR’s pursuit of CMPs for Access Rule violations against AMR, WCCC and Phoenix, along with the 46 Access Rule settlements announced by OCR before the Phoenix Settlement makes clear OCR takes seriously and stands prepared to assess substantial CMPs against Covered Entities that violate the Access Rule.  

Like the 46 Access Rule settlements OCR previously announced, the circumstances surrounding the assessment of the AMR CMP and other Access Right Enforcement actions contain several important lessons for Covered Entities and business associates including:

  • Ensuring Covered Entities appropriately track and timely respond to access requests is critical;
  • Failing to provide timely response to even a single access request can trigger a significant CMP;
  • The existence or expectation of a lawsuit or other dispute with the patient or patient’s personal representative does not justify delay or refusal timely to provide requested medical records within 30 days;
  • While Covered Entities and business associates have a duty to verify a family member, attorney or other party requesting medical records on behalf of a patient is the personal representative, a Covered Entity is responsible for verifying this and delivering the requested medical records promptly following receipt of a request;
  • If a Covered Entity or business associate intends to charge to provide requested medical records in response to an access request, ensure that the proposed charge is calculated following the Access Rule, notification is delivered within 30 days of the original request and deliver the medical records promptly after the payment is received;
  • Providing requested medical records to another health care provider or other party does not excuse or substitute for providing the medical records to the requesting patient or personal representative;
  • A Covered Entity that fails to meet the 30-day deadline for responding to an access request should fix the problem promptly by delivering the documents as soon as possible and taking documented corrective action to prevent future noncompliance;
  • A Covered Entity or business associate that already has not responded within 30 days of receipt of an access request should not withhold delivery of the requested PHI pending the requestor’s payment of the minimal allowed charge that it could have imposed had it timely responded to the access request within 30 days; and
  • Consider carefully before declining an offer from OCR to settle through informal resolution.

Covered Entities and business associates also should keep in mind other potentially applicable legal or ethical requirements to provide medical records.  For instance, state medical licensure and ethics rules typically require physicians and other health care providers to provide copies of medical records or other materials that also qualify as protected health information under HIPAA.  Likewise, the Employee Retirement Income Security Act, state insurance rules and other federal or state laws also may require health plans and their insurers, administrators and others with timely access to medical or other records that also are protected heath information under HIPAA.  Covered Entities and business associates should ensure that all applicable deadlines are met and that any charges imposed satisfy all applicable requirements.

Covered Entities and business associates also should keep in mind that the Access Rule is only one of several areas of HIPAA enforcement prioritized by OCR that can trigger costly CMPs. Since HIPAA took effect in April 2003 through April 2024, OCR has:

  • Received and resolved 99 percent of the more than 358,975 HIPAA complaints and the more than 1,188 OCR-initiated compliance reviews;
  • Required changes in privacy practices and corrective actions in more than 30,839 cases investigated;
  • Settled or imposed a civil money penalty in 145 cases resulting in a total dollar amount of $142,663,772.00; and
  • OCR referred 2,197 to the Department of Justice (DOJ) for criminal investigation of cases involving the knowing disclosure or obtaining of protected health information in violation of HIPAA.

The compliance issues most often alleged in complaints cumulatively, in order of frequency through April, 2024 have remained consistent across the 20 years since HIPAA became effective.  They include cumulative in order of frequency:

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Lack of administrative safeguards of electronic protected health information; and
  • Use or disclosure of more than the minimum necessary protected health information.

While health care providers are the type of Covered Entity most often subjected to enforcement, OCR data confirms OCR investigations and enforcement has impacted all types of Covered Entities and business associates.  According to this data, the categories of Covered Entities OCR investigations have found to have committed violations are, in order of frequency:

  • General Hospitals;
  • Private Practices and Physicians;
  • Pharmacies;
  • Outpatient Facilities; and
  • Group Health Plans.

Additionally, while Group Health Plans as a group have the fewest compliance violations to date, OCR enforcement data confirms OCR’s investigation and enforcement of Access Rule violations against Group Health Plans, as well as that Group Health Plans and their business associates historically account for violations of the HIPAA security rules for the protection of electronic health information affecting millions of Americans. With OCR’s even further heightening its prioritization of HIPAA’s security rule oversight and enforcement in response to massive breaches of electronic protected health information systems and data that triggered widespread disruptions of care and payment systems reported by UnitedHealthcare Group’s Change Health, Ascension Health, and others, and recent OCR guidance requiring to update their Notices of Privacy Practices, all Covered Entities and their business associates should ensure seize the opportunity to re-verify the defensibility of their organization’s Access Rule, Security Rule and other HIPAA compliance.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Meeting with the HHS Office of Civil Rights on HIPAA, Cynthia Marcotte Stamer has extensive experience advising and defending health care and life sciences, health plans and insurers, their business associates about HIPAA and other privacy and data security protection, breach response and other compliance and risk management.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Immediate Past Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Immediate Past Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Past Group Chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee; and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership advising healthcare and life sciences, managed care and other insurance and employer-sponsored health benefit, technology, and other highly regulated and data dependent clients about health care and other regulatory, workforce and staffing, health and other employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending HIPAA, FACTA, GDPR, GLB, and other privacy, data security and information protection and breach; EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state compliance, investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state privacy, data breach and security, employment, employee benefits and insurance, equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | data breach, Health Care, HIPAA, PHI, ransomware | Tagged: , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Providers, Health Plans Should Confirm Copy Charges Comply With New OCR HIPAA Guidance

May 26, 2016

Healthcare providers, health plans, healthcare clearinghouses (Covered Entities) and their business associates should verify that their copying charges and other policies and practices for responding to requests of individuals for copies and other access to protected health information (PHI) comply with the Privacy and Security Rules (Privacy Rule) of the Health Insurance Portability & Accountability Act of 1996 (HIPAA) as construed in a new Frequently Asked Question (FAQ published May 24, 2016 as follow up to two other sets of guidance about HIPAA assess rights published by the Department of Health & Human Services Office of Civil Rights (OCR) since January, 2016.

New OCR Guidance Sheds New Light On HIPAA Access Rule Requirements

The OCR FAQ titled New Clarification – Up to $6.50 Flat Rate Option published May 24, 2016 is the third in a series of guidance materials OCR discussing OCR’s interpretation of individuals’ core right under HIPAA to access and obtain a copy of their PHI from Covered Entities since January, 2016 (the “Access Rule”).   With  OCR Enforcement Data already showing Access Rule violations among the top 5 issues in cases investigated by OCR every year since HIPAA took effect in 2003, Covered Entities can expect OCR to include Access Rule violations among the Privacy Rule violations OCR likely will target as it continues to ramp up its HIPAA audit, investigation and enforcement efforts.

As part of its sweeping requirements concerning the use, access, protection and disclosure of PHI, the Access Rule provisions of the Privacy Rule generally require Covered Entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the Covered Entity or its business associate.  This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the Covered Entity to transmit a copy to a designated person or entity of the individual’s choice as long as the Covered Entity or a business associate on its behalf maintains the PHI, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the Covered Entity, another provider, the patient, etc.).

With its publication of the New Clarification FAQ on May 24, 2016, OCR now has published three pieces of guidance (the Access Guidance) about its interpretation of the Access Rule since January, 2016 that it hopes will promote greater understanding of and compliance with the Access Rule by Covered Entities:

  • In January, OCR published a comprehensive Fact Sheet (Fact Sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient;
  • On March 1, OCR published a second set of FAQs accessible here addressing when Covered Entities may charge individuals to provide requested copies of their PHI, how Covered Entities must calculate these fees, when Covered Entities must send an individual’s PHI to a third party designated by the individual in its request for copies, and other issues relating to access rights guaranteed by the Privacy Rule; and
  • On May 24, 2016 OCR clarified this prior Access Guidance by publishing another FAQ titled New Clarification – Up to $6.50 Flat Rate Option .

Collectively, the Access Guidance addresses a broad range of questions and issues about the responsibilities of Covered Entities under the Access Rule including what PHI Covered Entities must provide as well as detailed guidance about when and how much Covered Entities can charge individuals for requested copies of their PHI or summaries of their PHI.  Since the OCR Access Guidance may restrict the charge that health care providers or other Covered Entities can charge for copies or other access more than applicable state law rules,  Covered Entities need to verify their practices comply with OCR’s Access Guidance in addition to any applicable state law rules.  The Access Guidance makes clear that OCR expects Covered Entities and their business associates to ensure that their charges for copying or providing other access to PHI guaranteed by the Privacy Rule complies with this Access Guidance even if that practice does not violate applicable state law.

Are You Charging Too Much? Charges For Copies of PHI Must Meet OCR Privacy Rule Guidance 

Concerning charges for copies of PHI requested by an individual, Privacy Rule § 164.524(c)(4) permits a Covered Entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information) provided that the Covered Entity properly and timely notifies the individual of the cost and properly determines the cost in accordance with OCR guidance.

Many physicians or other health care providers that use electronic health records (EHRs) certified to allow individuals to access their PHI in the system may be unaware that OCR views the availability of electronic access from the EHR affects the health care provider’s ability to charge for copies of requested PHI.  OCR’s position is that the Privacy Rule prohibits a Covered Entity from charging an individual for requested copies of PHI when the request is fulfilled by the individual accessing the requested PHI using the View, Download, and Transmit functionality of the provider’s certified electronic health record.

Assuming the request for access or copies is not fulfilled through download from an HER, the Access Guidance indicates q Covered Entity must use one of three potentially applicable OCR-approved methods to calculate the fee the Covered Entity charges an individual for copies of PHI or an agreed upon summary provided that the method used takes into account only labor costs for copying or producing an agreed upon summary as defined by OCR.:

  • The “Actual Cost” Method;
  • The “Average Cost” Method; or
  • For electronic copies of PHI maintained electronically, the “Flat Fee” Method.

Charging a flat fee not to exceed $6.50 is an option available to those entities that do not want to go through the process of calculating actual or average costs for requests for electronic copies of PHI under either the Actual Cost or Average Cost Methods.  However, by its terms, the “Flat Fee” Method is only an allowable for Covered Entities to use to avoid calculating actual or average allowable costs when a Covered Entity is providing electronic copies of PHI maintained electronically (and presumably when the access request is not fulfilled through download from an EHR).  When applicable, the Flat Fee Method allows a Covered Entity to charge a flat fee for all requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage.  The New Clarification – Up to $6.50 Flat Rate Option clarifies that use of the Flat Rate Method is permitted not required when a Covered Entity  provides copies of PHI maintained electronically other through download directly from a certified EHR. Covered Entities that wish to charge more than the $6.50 flat rate allowed under the Flat Rate Option retain the right, if the facts and evidence warrant, to use either the Actual Cost Method or Average Cost Method to calculate the fee for providing electronic records electronically within the boundaries of what is permissible under the Privacy Rule.

Where the Flat Fee Method is inapplicable or the Covered Entity elects not to use it, the Covered Entity must use either the Actual Cost Method or the Average Cost Method to calculate the fee in accordance with OCR’s rules.

Under the “Actual Cost Method,” a Covered Entity may calculate actual labor costs to fulfill the request, as long as the labor included is only for copying (and/or creating a summary or explanation if the individual chooses to receive a summary or explanation) and the labor rates used are reasonable for such activity. The Covered Entity may add to the actual labor costs any applicable supply (e.g., paper, or CD or USB drive) or postage costs. Covered Entities that charge individuals actual costs based on each individual access request still must be prepared to inform individuals in advance of the approximate fee that may be charged for providing the individual with a copy of her PHI. An example of an actual labor cost calculation would be to time how long it takes for the workforce member of the Covered Entity (or business associate) to make and send the copy in the form and format and manner requested or agreed to by the individual and multiply the time by the reasonable hourly rate of the person copying and sending the PHI. What is reasonable for purposes of an hourly rate will vary depending on the level of skill needed to create and transmit the copy in the manner requested or agreed to by the individual (e.g., administrative level labor to make and mail a paper copy versus more technical skill needed to convert and transmit the PHI in a particular electronic format);

Under the “Average Cost” Method, in lieu of calculating labor costs individually for each request, a Covered Entity can develop a schedule of costs for labor based on average labor costs to fulfill standard types of access requests, as long as the types of labor costs included are the ones which the Privacy Rule permits to be included in a fee (e.g., labor costs for copying but not for search and retrieval) and are reasonable. Covered Entities may add to that amount any applicable supply (e.g., paper, or CD or USB drive) or postage costs.    This standard rate can be calculated and charged as a per page fee only in cases where the PHI requested is maintained in paper form and the individual requests a paper copy of the PHI or asks that the paper PHI be scanned into an electronic format. However OCR’s guidance states that OCR does not consider per page fees for copies of PHI maintained electronically to be reasonable for purposes of 45 CFR 164.524(c)(4);

Whether using the Actual Cost Method or the Average Cost Method, a Covered Entity must only take into account only “reasonable labor costs associated only with the: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; and (2) labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.

OCR’s guidance makes clear that the reasonability of the charges for labor must reflect the technology available for providing this access.  In this respect, OCR’s guidance states that a Covered Entity cannot charge a fee under HIPAA for individuals to access the PHI from a health care provider’s EHR technology that has been certified as being capable of making the PHI accessible.   OCR’s position is that where a Covered Entity fulfills an individual’s HIPAA access request by allowing the individual to access the requested PHI using the View, Download, and Transmit functionality of the provider’s certified electronic health record (CEHRT), an individual requests or agrees to access her PHI available through the View, Download, and Transmit functionality of the CEHRT, there are no labor costs and no costs for supplies to enable such access.

To the extent that access is not provided through an CEHRT, the fee a Covered Entity charges an individual to provide copies of requested PHI or an agreed upon summary may include only the cost of:

  • Copying the PHI; and
  • Preparation of an explanation or summary of the PHI, if agreed to by the individual.

As interpreted by OCR, labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.  For example, labor for copying may include labor associated with the following, as necessary to copy and deliver the PHI in the form and format and manner requested or agreed to by the individual:

  • Labor for copying the PHI requested by the individual, whether in paper or electronic form;
  • Supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media;
  • Postage, when the individual requests that the copy, or the summary or explanation, be mailed; and
  • Creating and executing a mailing or e-mail with the responsive PHI.

See 45 CFR 164.524(c)(4).

The Access Guidance states the fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; outsourcing the function of responding to individual requests for PHI copies or other costs not listed above even if such costs are authorized by State law.  See 45 CFR 164.524(c)(4).

Of course, in any case, OCR’s guidance makes clear that regardless of how a entity chooses to calculate its fee to copy PHI, the Privacy Rule requires that the Covered Entity inform the requesting individual in advance of the approximate fee that may be charged for providing the copy requested and otherwise comply with the Privacy Rule as interpreted by OCR’s latest guidance concerning providing individuals access to PHI and other requirements.

Documented, Timely Action Needed To Mitigate OCR Audit, Investigation & Enforcement Risks

Beyond operationally complying with the Access Guidance, Covered Entities and their business associates generally will want to update their policies, practices and training to position themselves to defend their calculation of any charges made for copies provided in response to a request for access protected by the Privacy Rule and other compliance with the requirements of that rule and the otherwise applicable provisions of HIPAA as well as include monitoring and enforcement of these requirements as part of their ongoing HIPAA compliance efforts.

These and other HIPAA compliance efforts are particularly critical in light of the expanding audit, investigation and enforcement activities of OCR under the Privacy Rule.  OCR’s publication of the Access Guidance coincides with a surge in OCR’s HIPAA audit, investigation and enforcement activities.

OCR’s publication of the new Access Guidance comes as OCR is ramping up its interpretation, oversight and enforcement of HIPAA generally.  See, Brace For OCR HIPAA Audits & Enforcement; Update Privacy Practices For New OCR HIPAA Enforcement, Security & Records Access Guidance.  While continuing to offer guidance like the Access Guidance and other tools to encourage and help Covered Entities and their business to understand and comply with the Privacy Rule, OCR also increasingly now uses the expanded penalties and authority created by the HITECH Act to punish Covered Entities for violating Privacy Rule requirements.  HITECH Act amendments, among other things, broadened the duties of OCR to audit, investigate and sanction HIPAA violations as well as tightened various requirements of the Privacy Rules.

The risks to Covered Entities from violating the Privacy Rules are significant and growing.  Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities and their business associates face heightened risks that violations of HIPAA will trigger liability to pay a Civil Monetary Penalty (CMP) to OCR or other sanctions.  The two, multimillion dollar CMPs now imposed by OCR against two different Covered Entities caught violating the Privacy Rules only reflect a small part of OCR’s CMP enforcement.  Equally or perhaps more significant are the growing stream of high dollar settlement payments that an ever-growing list of Covered Entities to resolve OCR Privacy Rule violation charges that otherwise also might result in OCR’s assessment of a CMP against them.  See, e.g. $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use; Provider Pays $750K To Settle HIPAA Business Associate Rule Breach Charges; North Memorial Hit With $3.9M HIPAA Fine For HIPAA Violations;  OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000; Lehey Pays $850K After Unencrypted Laptop Stolen.

These already substantial enforcement risks are likely to rise as OCR begins auditing the compliance of selected Covered Entities as part of its recently announced 2016 audit program.  As a result of audit requirements enacted as part of the HITECH Act, Covered Entities now need to be prepared to demonstrate the adequacy of their HIPAA compliance in case their organization becomes targeted for audit under OCR’s 2016 audit program.  Even if not selected for audit, however, Covered Entities and their business associates still face the risk that a complaint filed with OCR will trigger an OCR investigation of their practices for providing copies or other access or other compliance with the Privacy Rules.  In light of the growing aggressiveness of OCR’s enforcement, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply. Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions.  Consequently, Covered Entities and their business associates should move quickly to review and update their practices, communications and training to comply with this new Access Guidance as well as other guidance, enforcement and other developments that might impact the adequacy of their existing practices under the Privacy Rule generally.  Because of the risk that any review or investigation of the adequacy of its practices or complaints under the Privacy Rule will involve sensitive information or analysis, Covered Entities and their business associates are cautioned to consider the advisability of arranging for this analysis and review to be conducted within the scope of attorney-client privilege under the guidance of legal counsel experienced with the Privacy Rules and other related legal concerns.

 About The Author

Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see www.CynthiaStamer.com, email Ms. Stamer cstamer@solutionslawyer.net or telephone her at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.SolutionsLawPress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.  ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

 

 

 

1 Comment | Electronic Health Records, Electronic Medical Records, Health Care, Health care coding, Health Care Provider, Health Care Quality, health care reimbursement, HIPAA, Hospital, Hospital, hospitals, Meaningful Use, Medical Privacy, Medical Records, Physician, Physician Licensing, Privacy, Rural Health Care, Uncategorized, Veterans Health Care | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer