On December 12, 2019, the Office for Civil Rights (OCR) announced its second enforcement action this year related to an individual’s right to access his/her protected health information (PHI). Korunda Medical, LLC (Korunda) settled with OCR for $85,000 for a potential violation of HIPAA’s Right of Access Initiative, designed to ensure covered entities are providing individuals with access to their PHI in accordance with HIPAA’s requirements.
In March 2019, OCR received a complaint from a Korunda patient alleging that Korunda failed to timely forward the individual’s PHI in an electronic format to a third party. In addition to Korunda’s delay in providing access to the PHI, Korunda did not provide access in the format requested, and charged more than a reasonable cost-based fee.
OCR first attempted to provide Korunda technical assistance on how to afford proper access to the individual in an attempt to close the complaint. After Korunda’s continued failure to provide the proper access in a timely manner, a second complaint was made to OCR, at which time OCR opened an investigation into Korunda’s HIPAA compliance.
The Korunda settlement is OCR’s second enforcement of the Right of Access Initiative, with the first also resulting in a $85,000 settlement. In a press release from OCR announcing the Korunda settlement, OCR’s Director Roger Severino, stated, "For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law."
In the wake of OCR’s enforcement actions involving individuals’ right to access his/her PHI, covered entities should carefully review HIPAA’s right to access requirements, including OCR’s Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 guidance. We have summarized certain of the requirements here:
In addition to Korunda’s $85,000 settlement, Korunda also entered into a Corrective Action Plan (CAP) with OCR, which requires Korunda to submit information to OCR every 90 days regarding all access requests received, and supporting documentation for any denied requests for access, during the one year term of the CAP. Korunda also must update its HIPAA policies and procedures and provide HIPAA training to workforce members.