EMS Provider Pays Penalty for Not Giving Timely Access to Patient Records
American Medical Response (AMR) paid a civil monetary penalty of $115,200 for failing to provide patients with timely access to their medical records. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced this week that it collected the penalty from AMR, a provider of emergency medical services across the U.S. and a HIPAA-covered entity.
The penalty resulted from an investigation based on a complaint that AMR had failed to provide a patient with timely access to their medical records. It took 370 days from the patient’s initial request to AMR on October 31, 2018, to receive her billing and medical records in electronic format on November 5, 2019. That is substantially longer than the 30 days required by the HIPAA Privacy Rule’s right of access provisions, even with a possible 30-day extension.
The patient had sent AMR a follow-up request after the initial request, which garnered her an invoice, citing that she needed to pay it before the records could be released. She then sent another follow-up to AMR, demanding the records be provided, or a complaint would be filed with OCR. She didn’t receive her records and filed the complaint. More details are included in the OCR’s Notice of Final Determination. AMR has since revised its policies and procedures to handle patient requests for medical records more efficiently.
Workforce Training on HIPAA Requirements is Crucial
“This recent OCR fine is a reminder of the risks for failing to provide patients or their HIPAA personal representatives with timely access to their protected health information maintained in one or more designated record sets,” said David Ginsberg, PrivaPlan CEO.
“Twenty-one years after the Privacy Rule went into effect, we have a whole new generation of medical records, front office, and administrative workforce who do not fully understand the HIPAA requirements,” said Ginsberg. “PrivaPlan can help ensure your workforce training is effective!”
Be Proactive in Compliance
The HIPAA Privacy and Security Rules have specific requirements regarding workforce training, security reminders, and periodic updates. PrivaPlan offers training options for any type of covered entity or business associate.
HIPAA Rules Require Timely Access to Health Records
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers) and business associates must follow relating to the privacy and security of protected health information.
“HIPAA gives patients a right to timely access to their medical records,” said OCR Director Melanie Fontes Rainer. “OCR will continue to enforce this right through investigations, and when necessary, by imposing civil money penalties.”
The civil money penalty marks OCR’s 49th HIPAA Right of Access Enforcement Action.