Source: www.databreachtoday.com – Author: 1
Healthcare
,
HIPAA/HITECH
,
Industry Specific
Settlement Is HHS OCR’s 46th Enforcement Action Based on Health Record Complaints
Marianne Kolbasuk McGee (HealthInfoSec) •
January 4, 2024
It’s a new year, but federal regulators are beating an old HIPAA drum: The Department of Health and Human Services has hit a New Jersey medical practice with a $160,000 settlement in the agency’s 46th enforcement action involving HIPAA complaint about right of access to health records.
See Also: 6 Healthcare Industry Prescriptions | Curing Your Contact Center Data Security Epidemic
Patients of Optum Medical Care of New Jersey – formerly known as Riverside Medical Group – had to wait up to seven months to access their medical records, according to the HHS’ Office for Civil Rights resolution agreement with the entity. The practice also must implement a corrective action plan to avoid similar potential future violations of the HIPAA “right of access” provision.
The enforcement action against OMCNJ, which is a multi-specialty practice with about 150 locations in New Jersey and southern Connecticut, stems from six complaints HHS OCR received about the organization within six weeks in the fall of 2021.
The six complaints – filed in 2021 by individuals on Oct. 5, 18 and 22 and Nov. 1, 17 and 18 – each allege that OMCNJ refused to provide a copy of the individual’s medical records or the complainant’s minor children’s medical records.
HHS OCR said its investigation into the complaints found that OMCNJ had failed to provide timely access to protected health information as required under HIPAA. In some of those instances, HHS OCR found that patients had received their requested records between 84 and 231 days after their respective requests were submitted to OMCNJ.
The HIPAA right of access provision requires that providers give access to requested medical records no later than 30 calendar days after receiving the individual’s request.
“Healthcare providers must make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority,” said Melanie Fontes Rainer, director of HHS OCR, in a statement in December.
“Access to medical records is a fundamental right under HIPAA, and one for which OCR receives thousands of complaints each year. This is the law – providers must proactively respond to record requests and ensure timely access.”
HHS OCR has issued 45 other enforcement actions in “right of access” disputes since launching its HIPAA compliance initiative in April 2019. “Right of access” complaints are the most common impetus for HHS OCR taking HIPAA enforcement actions.
As part of the corrective action plan, OMCNJ also must distribute its revised policies and procedures to its workforce and provide training on the HIPAA privacy rule’s individual right of access to PHI.
The settlement between HHS OCR and the practice states that the agreement is not an admission of liability by OMCNJ, nor is it a concession by HHS that OMCNJ is not in violation of the HIPAA rules and not liable for civil money penalties.
In a statement, the medical group told Information Security Media Group: “Optum has long supported patients’ timely access to their health information. We have addressed the cause of this issue and are sorry for any inconvenience it may have caused.”
OMCNJ is a medical group within Optum, which is part of the UnitedHealth Group.
Original Post url: https://www.databreachtoday.com/practice-fined-160k-for-6-right-access-complaints-a-24033
Category & Tags: –
