The second enforcement action was issued by the Department of Health and Human Services’ Office for Civil Rights as per the HIPAA Right of Access Initiative. Korunda Medical in Florida agreed to resolve potential violations of the HIPAA Right of Access, to implement a corrective action plan and to create its policies and procedures in line with the requirements of the HIPAA Privacy Law.
In March 2019, OCR received a complaint from a patient about Korunda Medical’s inattention to her request for a copy of medical records in a particular electronic format despite repetitive requests. Allegedly, Korunda Medical refused to provide an electronic copy of her healthcare records to a third party and charged an excessive amount for the copies of the healthcare records. HIPAA requires covered entities to charge only a reasonable, cost-based fee when providing patients copies of their protected health information (PHI).
OCR received the first complaint on March 6, 2019. on March 18, 2019, OCR gave technical assistance to Korunda Medical about the HIPAA Right of Access and considered the issue as resolved. After four days, OCR received one more complaint that meant Korunda Medical failed to abide by the HIPAA Right of Access. On May 8, 2019, OCR informed Korunda Medical about starting a compliance investigation. Because of OCR’s involvement, the patient who complained finally got a copy of her medical records at no cost. As a result of persistent HIPAA Right of Access noncompliance, Koruda Medical had to pay an $85,000 financial fine.
Many healthcare companies have long-delayed in delivering to patients their requested health records copy. Hopefully, that will change as OCR moves its implementation of corrective actions and settlements based on the Right of Access Initiative. The HIPAA Right of Action Initiative is HIPAA’s enforcement drive to be sure HIPAA-covered entities promptly give patients copies of their medical records, in a file format requested at a fair price. In September 2019, Bayfront Health St Petersburg was issued the first enforcement action based on this initiative and had to pay an $85,000 financial penalty.
This HIPAA enforcement action on Korunda Medical is the ninth this 2019. 8 HIPAA violation cases were resolved in 2019 and one civil monetary penalty was announced. The financial penalties varied from $10,000 up to $3 million. At this point, OCR got paid $12,209,000 to resolve HIPAA violations.