Small Practices Facing Right of Access Cases



Three HIPAA right of access cases were resolved recently, bringing the total number of cases under the Right of Access Initiative to 41. Perhaps surprisingly, all three of these cases involved dental practices.

The new OCR Director, Melanie Fontes Rainer, said: “These right of access three actions send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law.”

Let’s take a look at each of the three recent breaches:

  1. A practice in Chicago provided a patient with only certain portions of her requested medical records. After the patient made a complaint, an OCR investigation was launched, and she was provided with a complete copy. Unfortunately, the fulfillment of this request didn’t take place until five months after the request was made. Now, the OCR has required this practice to develop and regularly review access policies and procedures. In addition, their employees will be given training on patient data access and the new policies.

Result: $30,000 fine, plus implementing a corrective action plan.

  1. A patient of a Georgia-based practice was denied access to her medical records until she agreed to pay the practice’s $170 copying fee. While the HIPAA Privacy Rule does allow providers to attach a fee to this service, that cost may only cover copying labor, supplies, and preparation of a summary of PHI. The OCR found the $170 fee unreasonable, and the patient received their requested information more than a year after the request.

Result: $80,000 fine, plus implementing a corrective action plan.

  1. A patient requested access from the practice to the records of her and her child, and was told that the office was closed, but they would be able to send her the records via email. Aftering confirming the email account, the patient tried several more times to reach out. At this point months had passed, and she was finally told that she would need to submit a written request. The practice provided the data in less than 30 days following this written request, but the OCR still held that they had failed to complywith the requirement to provide timely access.

Result: $25,000 fine, plus implementing a corrective action plan.

Take the Proper Steps Now

With Q4 of 2022 right around the corner, it’s time to conduct your organization’s Security Risk Analysis, and ensure you have updated policies and procedures in place. Our team at Medcurity is here to help you meet compliance requirements, so you can continue to focus on providing the best patient care. If you have any questions, please reach out to us.