Download Client Alert: Attack of the Initiative-OCR's HIPAA Right of Access Initiative Targets Second Florida Provider
"For too long, health care providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up health care providers to their obligations under the law.”
- Roger Severino, Office for Civil Rights (“OCR”) Director
Enforcement of the OCR’s HIPAA Right of Access Initiative (“Initiative”) is in full swing and does not look like it will abate any time soon. The Initiative aims to enforce the rights of patients to timely receive copies of their protected health information without being overcharged for same. Recently, OCR announced its second Initiative settlement and enforcement action against Korunda Medical, LLC (“Korunda”), a Florida-based company. In 2019, OCR received patient complaints regarding Korunda’s failure to provide medical records. Subsequently, OCR found that Korunda twice failed to timely provide a patient with requested medical records. Korunda also failed to provide records in the patient’s requested format and charged more than the reasonable cost-based fees allowed under HIPAA. As part of its settlement with OCR, Korunda will pay $85,000.00 and enter into a corrective action plan, which includes a year of monitoring, developing HIPAA-compliant policies and procedures, and providing additional work force training. The first Initiative enforcement action against Bayfront Health in St. Petersburg resulted in a similar settlement.
As multiple Florida-based companies have been subject to enforcement actions under the Initiative, Florida providers should review and update their policies and procedures regarding access to medical records under both federal and state law. Under HIPAA, patients have a right of access to inspect and copy their protected information with limited exceptions. 45 C.F.R. §164.524 (a). Generally, a provider must act on a request for access to medical records no later than (30) days after receipt of the request. Id. If the provider denies the request, it must provide written reasons for denial that comply with HIPAA regulations. Id. If the patient requests copies, the provider may impose a reasonable cost-based fee that may include the costs specified in the HIPAA regulations. 45 C.F.R. §164.524 (c)(4).
In addition to HIPAA, Florida law requires providers to produce medical records pursuant to a valid patient request. Section 456.057, Florida Statutes, states that providers duly licensed in Florida who provide a physical or mental examination, administer treatment, or dispense legend medication to a person, shall furnish all records of the treatment to the person or their legal representative upon request. “Records” includes all reports and records relating to the person’s examination or treatment, including X-rays and insurance information. §456.057, Fla. Stat. Records must be provided in a timely manner without delays for legal review. Id. Failure to comply with state law could subject providers to state disciplinary action.
In light of increased enforcement actions, providers should consult with their compliance officer and/or health law counsel for provider-specific record production requirements under state and federal law.
1 This article focuses on the obligations of health care providers under HIPAA. However, obligated covered entities under HIPAA also include health plans and health care clearing houses.