OCR Imposes 47th HIPAA Fine to Resolve a HIPAA Right of Access Violation

American Medical Response HIPAA Fine

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 47th HIPAA fine to resolve a violation of the HIPAA Right of Access, which requires individuals to be provided with timely access to their medical records and only be charged a reasonable cost-based fee.

OCR launched its HIPAA Right of Access enforcement initiative in 2019 in response to many complaints from individuals who had not been provided with their medical records after submitting a request and/or were being overcharged for exercising this HIPAA Privacy Rule right. HIPAA-covered entities must provide the requested records within 30 days of receiving a request. When the proposed update to the HIPAA Privacy Rule is finalized, the maximum time will be reduced to 15 days.ย The latest fine was a civil monetary penalty rather than a settlement, and it was one of the largest HIPAA Right of Access fines to be imposed to date at $115,200. The large fine was imposed as it took 370 days from the initial request for the requested medical records to be provided.

The HIPAA violation occurred in 2018 at American Medical Response, a private ambulance company headquartered in Greenwood Village, CO. An individual who received services from American Medical Response requested a copy of her medical records on October 31, 2018. The HIPAA Right of Access required those records to be provided by November 30, 2018; however, those records were not provided. A follow-up request was sent to American Medical Response on January 24, 2019, but it took until March 1, 2019, for the individual to receive a response, which was a request from American Medical Response for payment to be made before the records could be released. That response was 121 days after the initial request; however, it took until November 5, 2019, for the requested records to be provided, 370 days after the request was initially made.

A complaint was filed with OCR over the HIPAA violation on July 29, 2019, and an investigation was initiated. OCR determined that American Medical Response had violated the HIPAA Right of Access, notified American Medical Response about its determination, and provided the ambulance company with the opportunity to settle.ย American Medical Response asked OCR to reconsider but did not provide sufficient evidence of mitigating factors to warrant a waiver of the HIPAA fine and a civil monetary penalty was imposed.

American Medical Response had policies and procedures in place for handling requests for copies of medical records and has since updated those policies and procedures to ensure that medical record requests are handled more efficiently. This is the second HIPAA violation case this year to result in a civil monetary penalty rather than a settlement, and both of those penalties were over $100,000. Phoenix Healthcare was found to have violated the HIPAA Right of Access and chose to settle and paid a $35,000 penalty.

โ€œHIPAA gives patients a right to timely access to their medical records,โ€ said OCR Director Melanie Fontes Rainer. โ€œOCR will continue to enforce this right through investigations, and when necessary, by imposing civil money penalties.โ€

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/