The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) reported the 11th financial penalty in connection with its HIPAA Right of Access enforcement initiative to Dr. Rajendra Bhayani. Dr. Bhayani who is a private practitioner based in Regal Park, NY specializing in otolaryngology is going to pay a $15,000 financial penalty to settle the case and undertake a corrective action plan to fix areas of noncompliance found by OCR in the course of the investigation.
OCR investigated the practitioner after receiving a patient complaint in September 2018 claiming that Dr. Bhayani did not give her copy of requested medical records. The patient submitted a request to the otolaryngologist last July 2018, but she did not get the copy of health records two months later.
OCR got in touch with Dr. Bhayani and gave technical assistance concerning the HIPAA Right of Access and closed the issue; however, OCR received a second complaint from the same patient in July 2019, that is a year after, saying that she hasn’t received her medical records. OCR intervened once more and finally the patient got her health records in September 2020, after 26 months of filing the initial request. Under HIPAA, healthcare providers need to provide requested medical records within 30 days of getting a request.
OCR confirmed Dr. Bhayani’s failure to deliver the health records as a violation of the requirements of the HIPAA Right of Access (45 C.F.R. § 164.524) . He also failed to reply to the letters from OCR on August 2, 2019 and October 22, 2019 asking for data. The inability to cooperate with OCR’s investigation of a complaint violates 45 C.F.R. §160.310(b). OCR decided to penalize the violations. Dr. Bhayani agreed to pay and settle the case with no admission of liability.
Doctor’s offices, whether large or small, should deliver requested medical records to patients in a timely manner. OCR Director Roger Severino said that it will continue prioritizing HIPAA Right of Access cases for enforcement until healthcare providers comply.
Dr. Bhayani also needs to undertake a corrective action plan. Policies and procedures must be reviewed providing people access to their PHI as per 45 C.F.R. § 164.524. The policies should detail the strategies utilized to determine a fair, cost-based rate for giving access. Those policies ought to be filed with OCR for evaluation, and any modifications requested by OCR should be executed in 30 days. Dr. Bhayani additionally ought to provide privacy training to employees about protected health information (PHI) access. The training materials should be submitted to OCR as well for evaluation and approval.
Every quarter, Dr. Bhayani is mandated to send OCR a list of all access requests, including the costs charged for handling the requests, together with details of any requests that were declined. OCR should receive reports of any cases of employees not complying with access requests.
OCR will keep track of Dr. Bhayani for two years from the date of the resolution agreement to make sure of continued HIPAA Right of Access compliance.