Feds Slap Another Provider with ‘Right of Access’ Fine – Source: www.databreachtoday.com

Governance & Risk Management
,
HIPAA/HITECH
,
Privacy

$15,000 Settlement With Psychotherapy Counselor Is HHS OCR’s 44th Case

Marianne Kolbasuk McGee (HealthInfoSec) •
May 8, 2023    

Federal regulators are continuing their campaign to enforce compliance with the HIPAA “right of access” provision. The Department of Health and Human Services on Monday said it had slapped a solo-practitioner psychotherapy counselor with a $15,000 settlement in a dispute involving a parent who sought the medical records of his three minor children.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

In a statement Monday, the HHS Office for Civil Rights said it had received a complaint in December 2017 against David Mente, a licensed counselor providing psychotherapy services in Pittsburgh, Pennsylvania, alleging that Mente would not give a father copies of medical records for his three children.

OCR said it had provided technical assistance to Mente on the requirements of the HIPAA Privacy Rule’s “right of access” requirements and closed the complaint.

Despite OCR’s intervention, Mente failed to respond to the father’s subsequent request for his children’s records in April 2018, leading to the parent filing a second complaint to the agency.

OCR’s investigation of the second complaint determined that Mente’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA “right of access” provision, the agency said.

“Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer.

“It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records.”

Rainer, in a recent interview with Information Security Media Group, said patient “right of access” disputes are the No. 1 type of HIPAA complaint the agency receives.

“It’s a cornerstone of HIPAA for you to get access to your own information. But a lot of covered entities don’t take that seriously,” she said.

As part of the resolution agreement in the case, Mente provided the father with all requested records in his practice’s possession, OCR said.

Mente declined Information Security Media Group’s request for comment about the case.