Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 11th financial penalty under its HIPAA Right of Access enforcement initiative. Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology has agreed to pay a financial penalty of $15,000 to settle the case and adopt a corrective action plan to address areas of noncompliance discovered by OCR during the investigation.
OCR launched an investigation after a complaint was received from a patient in September 2018 alleging Dr. Bhayani had failed to provider her with a copy of her medical records. The patient had sent a request to the otolaryngologist in July 2018, but two months later and the records had still not been provided.
OCR contacted Dr. Bhayani and provided technical assistance on the HIPAA Right of Access and closed the complaint; however, a second complaint was received from the patient a year after the first in July 2019 claiming she had still not been provided with her medical records. OCR intervened again and the records were eventually provided to the patient in September 2020, 26 months after the initial request. HIPAA requires medical records to be provided within 30 days of a request being received.
OCR determined the failure to provide the medical records was in violation of the requirements of the HIPAA Right of Access (45 C.F.R. § 164.524). Dr. Bhayani also failed to respond to letters sent by OCR on August 2, 2019 and October 22, 2019 requesting data. The failure to cooperate with OCR’s investigation of a complaint was in violation of 45 C.F.R. §160.310(b). OCR determined the violations warranted a financial penalty. Dr. Bhayani agreed to settle the case with no admission of liability.
“Doctor’s offices, large and small, must provide patients their medical records in a timely fashion. We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message,” said OCR Director Roger Severino.
The corrective action plan requires Dr. Bhayani to review and revise policies and procedures for providing individuals with access to their PHI in line with 45 C.F.R. § 164.524 and the policies must detail the methods used to calculate a reasonable, cost-based fee for providing access. Those policies must be submitted to OCR for review, and any changes requested by OCR must be implemented within 30 days. Dr. Bhayani is also required to provide privacy training to staff covering individual access to protected health information and the training materials must similarly be submitted to OCR for review and approval.
Every 90 days, Dr. Bhayani is required to send a list of all access requests to OCR, including the costs charged for dealing with the requests, along with details of any requests that have been denied. Any cases of staff members failing to comply with access requests must also be reported to OCR.
OCR will monitor Dr. Bhayani for two years from the date of the resolution agreement to ensure continued compliance with the HIPAA Right of Access.