Feds Hit 2 Nursing Home Firms With ‘Right of Access’ Fines

The U.S. Department of Health and Human Services is continuing its crusade for entities to provide patients and their representative with timely access to their medical records when requested. Regulators have hit two nursing home operators – one in Oklahoma and one in New Jersey – with monetary fines in separate HIPAA “right of access” disputes that began several years ago.

See Also: OnDemand | Making the Connection Between Cybersecurity and Patient Care

Both “right of access” enforcement action cases involve adult children who sought copies of their parents’ medical records from skilled nursing facilities where the parents were patients.

Under the HIPAA Privacy Rule, regulated entities must comply within 30 days of receiving a records request. The two recent cases are the 47th and 48th “right of access” enforcement actions HHS OCR has taken since the agency launched its “right of access” compliance initiative in April 2019 (see: HHS Lowers Some HIPAA Fines).

“Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative,” Melanie Fontes Rainer, director of HHS’ Office for Civil Rights, said in a statement.

“Without this access, patients are at risk for incorrect treatments, inaccurate health records and lack of understanding of their health conditions. It is unacceptable for a healthcare provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.”

Enforcement Actions

HHS said on Monday that Essex Residential Care LLC – a skilled nursing facility that does business as Hackensack Meridian Health, West Caldwell Care Center – has agreed to pay a $100,000 civil penalty in a “right of access” case that started with a complaint filed to HHS’ Office for Civil Rights in May 2020.

The complaint alleged that WCCC failed to provide a personal representative with access to his mother’s medical records. The records were allegedly withheld even after WCCC received sufficient documentation demonstrating that the son was serving as his mother’s personal representative.

As the result of HHS OCR’s investigation, WCCC sent the requested records to the patient’s son on Dec. 1, 2020 – about 161 days after they were first requested.

HHS OCR said it issued to WCCC in September 2023 a notice of proposed determination seeking to impose the $100,000 civil monetary penalty and that WCCC waived its right to a hearing and did not contest OCR’s findings.

Civil monetary penalties, rather than settlements, are typically used by HHS only when it cannot reach a satisfactory resolution through a HIPAA-regulated organization’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, said regulatory attorney Rachel Rose.

“CMPs are, aside from criminal actions, only applied in instances of egregious noncompliance against a covered entity or business associate,” said Rose, who is not involved in HHS OCR recent right of access cases.

In its other recent enforcement action, HHS OCR said on March 29 that Phoenix Healthcare – a multifacility organization offering nursing care in Tulsa, Oklahoma – agreed to pay $35,000 and implement corrective actions to settle its “right of access” dispute.

That case started with a complaint filed to HHS OCR in April 2019 by the daughter of a patient of Phoenix Healthcare, which does business as Green County Care Center. The daughter, who served as her mother’s personal representative, alleged that Phoenix would not provide her with mother’s requested medical records.

After several attempts to access the patient’s records, including attempts by HHS OCR to provide technical assistance, Phoenix sent the requested records on Jan. 30, 2020 – 323 days after the first request.

HHS OCR had initially sought in 2021 to levy a $250,000 civil monetary penalty against Phoenix Healthcare for alleged HIPAA violations in the “right of access” dispute.

But the proposed civil monetary penalty was whittled down to $75,000 – and eventually reduced again to a $35,000 financial settlement and corrective action plan – after Phoenix challenged the case with an HHS administrative law judge and then a departmental board of appeals.

Under the settlement with HHS OCR, Phoenix also agreed to take certain corrective actions, including revising its HIPAA policies and procedures to address the Privacy Rule’s requirements concerning an individual’s right of access to their PHI.

Neither WCCC nor Phoenix Healthcare immediately responded to Information Security Media Group’s requests for comment on their respective HIPAA “right of access” enforcement actions by HHS OCR.

Updated Privacy Guidance

Separate from the recent actions, HHS OCR on Monday issued updated guidance clarifying that under the HIPAA Privacy Rule, patients are allowed to request restrictions on who has access to their PHI during medical procedures.

That may include patient requests, for instance, to restrict medical trainees from accessing a patient’s PHI during a medical procedure. A covered entity, however, is generally not required to agree to the requested restrictions, HHS OCR said.

“If a covered entity agrees to an individual’s requested restriction, it must comply with the agreed-upon restriction, except for purposes of treating the individual in a medical emergency or under certain other circumstances specified in the Privacy Rule,” HHS OCR said. The covered entity also must document the agreed-upon restriction, the agency said.

The guidance was released along with a letter that HHS sent this week to teaching hospitals and medical schools, detailing the requirements for informed consent from patients as it relates to medical professionals performing sensitive examinations, especially on individuals under anesthesia.

“I would highlight two items which may have prompted this guidance,” Rose said. “First, over the past decade, there has been an uptick in holding physicians and other medical providers accountable for sexual assault or taking pictures of patients that they were not authorized to take, especially during surgical procedures,” she said.

Second, HHS OCR last year issued a notice of proposed rule-making for potential changes to the HIPAA Privacy Rule pertaining to reproductive healthcare information (see: HHS Wants HIPAA Changes to Protect Reproductive Health Info).

“That NPRM was released nearly a year ago, so it may be an area that HHS received a number of public comments on,” Rose said.