Healthcare , HIPAA/HITECH , Industry Specific
Feds Hit Ambulance Company With Big 'Right of Access' Fine
HHS OCR: The Firm Took More Than a Year to Provide a Patient With Requested RecordsFederal regulators smacked an emergency medical services company with a $115,200 civil penalty for failing to provide a patient with requested electronic access to her health information. The patient made multiple attempts to get records for more than a year.
See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape
The penalty against Colorado-based American Medical Response is the U.S. Department of Health and Human Services' 49th enforcement action in a case involving the HIPAA "right of access" provision.
The largest portion of HHS OCR's HIPAA enforcement actions over the last several years have centered on patient "right of access" disputes. Besides the civil monetary penalty lodged against AMR, HHS OCR has taken enforcement actions in 48 other such cases since the agency launched a patient "right of access" compliance initiative in April 2019 (see: Feds Hit 2 Nursing Home Firms With 'Right of Access' Fines).
"HIPAA gives patients a right to timely access to their medical records," said Melanie Fontes Rainer, director of HHS' Office for Civil Rights, in a statement Thursday. "OCR will continue to enforce this right through investigations, and when necessary, by imposing civil monetary penalties.”
Unlike the AMR case, most of HHS OCR's other previous enforcement actions in "right of access" complaint investigations have been resolved by entities agreeing to pay a financial settlement and implement a corrective action plan.
Dispute Details
The dispute involving AMR started on Oct. 31, 2018, when a patient sent a fax to AMR asking the company to send her medical records in an electronic format including “all billing records pertaining to treatment rendered on Sept. 15, 2015," when AMR treated her for an injury.
The patient over several months tried multiple times to receive copies of her requested information from AMR. On July 29, 2019, the individual filed a complaint with OCR alleging that AMR did not provide her with a copy of her PHI in response to multiple requests. HHS OCR notified AMR on Oct. 9, 2019, that it was launching an investigation into the complaint. In response to OCR's investigation, AMR sent the patient records on Nov. 5, 2019, which was 370 days after the patient's initial request.
Under HIPAA's "right of access" provision, a covered entity must act on a request for designated records access no later than 30 days after receipt of the request.
"A covered entity can respond to a right-of-access request by granting or denying the request in whole or in part, or if it is unable to take an action required, it may extend the timeframe for responding by an additional 30 days by sending the requestor a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request," HHS OCR said.
In October 2023, OCR issued a notice to AMR saying the agency was seeking to impose a civil money penalty against AMR. The company waived its right to a hearing and did not contest OCR's findings. OCR on Thursday said it finalized its determination and imposed the civil money penalty against AMR.
AMR did not immediately respond to Information Security Media Group's request for comment on why the company did not pursue a settlement with HHS OCR rather than take the civil monetary penalty.
Several considerations might have contributed to AMR's decision to waive a hearing and not contest HHS OCR's findings, leading the agency to issue a civil monetary penalty instead of the parties negotiating a resolution agreement, said regulatory attorney Rachel Rose, who was not involved in the AMR case.
"AMR may have done a cost-benefit analysis and chose to pay [the penalty] while limiting the use of counsel," she said.
"From an HHS OCR vantage point, it may be that the findings were admitted to by AMR," Rose said. A resolution agreement might have otherwise involved negotiated language saying that AMR's financial settlement payment is not an indication of noncompliance by the company. "We see this a lot in False Claims Act cases when the defendants settle."
AMR's Response
AMR "completely agrees that patients' access to their personal health records is of paramount importance," the company said in a statement to ISMG.
"That's why AMR takes significant measures to ensure our patients can access their records, and even provides multiple information sources to ensure ease in requesting these records online," the statement says.
"AMR provides a clearly defined process for obtaining patient records, which unfortunately was not followed in this case. However, to ensure ongoing support for these needs, AMR has changed vendors providing this service, which we believe will help support timely responses to any requests going forward," the statement says.
"While AMR disagrees with the enforcement action from the OCR, we are thankful that this issue has been resolved," the company said.
"We take these matters very seriously, so AMR is working diligently to ensure that patients and patient advocates fully understand the proper channels for records request and that our vendors are able to fulfill these responsibilities in a timely manner," AMR said.
Overcoming Hurdles
Despite HHS OCR making HIPAA's "right of access" provision a top enforcement priority over the last five years, a variety of factors likely play into the fact that many covered entities still struggle with complying, Rose said.
They include staffing issues as well as not having patient records request compliance as an operational priority due to the expenses involved, she said. But from HHS OCR's compliance standpoint, "this is low-hanging fruit and material to the government, as the 49 enforcement actions over the past five years indicate. So, the odds of getting caught are increasing. Ultimately, this could impact insurance rates and loans, so it is something to consider."
Covered entities can take several steps to ensure they don't inadvertently make potentially costly mistakes by not complying to records requests, Rose said, including "training, adequate policies and procedures, and implementing an enterprise risk management program to address workflow and communication issues. There are also more options for covered entities to outsource this function to a reputable business associate, so there should really be no excuses."