California-based Psychiatric Facility Fined for Withholding Patient’s Medical Record

Nov. 6, 2020
It ultimately took 20 months for the practice to send the patient the requested information in her medical record

The Office for Civil Rights (OCR) has settled its tenth enforcement action in its HIPAA Right of Access Initiative, the latest being over a psychiatric facility that failed to provide a patient with her medical record, according to OCR, which is within the U.S. Department of Health and Human Services (HHS).

OCR announced this initiative as an enforcement priority in 2019 to support individuals' right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. Last September OCR announced its first enforcement action and settlement in its Right of Access Initiative. More recently, it settled five more investigations, and this latest one marks the tenth.

The California-based Riverside Psychiatric Medical Group (RPMG) has agreed to take corrective actions and pay $25,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard.  RPMG is a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders.

In March 2019, OCR received a complaint from a patient alleging that RPMG failed to provide her a copy of her medical records despite multiple requests to RPMG beginning in February 2019.  Shortly after receiving the complaint, OCR provided RPMG with technical assistance on how to comply with the HIPAA Right of Access requirements and closed the matter.  In April 2019, however, OCR received a second complaint alleging that RPMG still had not provided the complainant with access to her medical records, officials recounted.

OCR said that it initiated an investigation and determined that RPMG’s failure to take action in response to the individual’s request was a potential violation of the HIPAA right of access standard.  RPMG claimed that because the requested records included psychotherapy notes, they did not have to comply with the access request.

Importantly, while the HIPAA Rules do not require production of psychotherapy notes, they do require covered entities (1) to provide requestors a written explanation when it denies any records request in whole or in part (which RPMG did not do), and (2) to provide the individual access to his or her medical records other than psychotherapy notes (and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding), OCR explained in its announcement.

As a result of OCR’s investigation, RPMG sent the individual all the requested information in her medical record, excluding psychotherapy notes, in October 2020.

“When patients request copies of their health records, they must be given a timely response, not a run-around,” said OCR Director Roger Severino.

In addition to the monetary settlement, RPMG will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/riverside-ra-cap.pdf - PDF

Sponsored Recommendations

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...

Spotlight on Artificial Intelligence

Unlock the potential of AI in our latest series. Discover how AI is revolutionizing clinical decision support, improving workflow efficiency, and transforming medical documentation...

Beyond the VPN: Zero Trust Access for a Healthcare Hybrid Work Environment

This whitepaper explores how a cloud-enabled zero trust architecture ensures secure, least privileged access to applications, meeting regulatory requirements and enhancing user...

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...