OCR Issues Second Fine for Noncompliance with HIPAA Right of Access

The Department of Health and Human Services’ Office for Civil Rights has announced another settlement has been reached with a HIPAA-covered under its HIPAA Right of Access enforcement Initiative.

Naples, FL-based Korunda Medical is required to pay a financial penalty of $85,000 to resolve HIPAA Right of Access violations and must adopt a corrective action plan that requires policies and procedures to be updated. The healthcare provider’s compliance efforts will then be closely monitored by OCR for one year.

The compliance failures came to light during a March 2019 investigation by OCR that was triggered by a complaint from a Korunda Medical patient. The patient informed OCR that Korunda Medical had refused to send her medical records electronically to a third party. OCR contacted Korunda Medical and provided technical assistance and the case was closed. However, a few days later a second complaint was submitted to OCR indicating Korunda Medical was still not compliant. OCR determined that the continued noncompliance after receiving assistance warranted a financial penalty. Korunda Medical agreed to settle the case.

In September, OCR also fined Bayfront Health St. Petersburg $85,000 for a HIPAA Right of Access failure. Further financial penalties can be expected if OCR determines that other healthcare organizations are not fully compliant with this important provision of the HIPAA Privacy Rule.

Based on the findings of a November study by Citizen, several more fines may well be issued. The study revealed 51% of healthcare providers are not fully compliant with the HIPAA Right of Access. The fines are intended to serve as a warning to all covered entities than noncompliance will not be tolerated.

It is important for patients to be given copies of their medical records and to make it easy for them to share those records with whomever they choose. That means medical records need to be provided in the format of the patient’s choosing, are sent to their nominated representative, and that they should not be charged excessive fees for exercising their rights.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/