The Department of Health and Human Services’ Office of Civil Rights has fined two more healthcare providers for violating the Health Insurance Portability and Accountability Act (HIPAA) for not providing individuals with access to their medical records, which could intersect with the Fair Debt Collection Practices Act for any agency that is working healthcare accounts.
The providers are the tenth and eleventh to be fined by the OCR for not providing individuals with access to their medical records in a timely manner. Riverside Psychiatric Medical Group in California has agreed to pay a $25,000 fine after a patient did not receive access to her medical records, even after OCR had provided technical assistance to the healthcare provider to help it comply with HIPAA’s right of access requirements. Similarly, a private practitioner in New York has agreed to pay $15,000 to settle claims after he failed to provide access to a patient’s medical records, again even after OCR had provided technical assistance.
The intersection between HIPAA’s right of access requirements and the FDCPA overlap if and when an individual submits a timely request to verify a debt, said Leslie Bender, senior counsel at Clark Hill.
“Vendors, like debt collectors, servicing patient receivables on behalf of healthcare providers – understand that a timely request for verification of a debt, depending upon its scope or nature, may overlap with a patient’s HIPAA right of access and that intersection should be evaluated when responding,” Bender said. “Although the FDCPA would allow a debt collector to close out an account instead of responding to a verification request, HIPAA does not provide such an option. There is no time like the present to revisit the terms and conditions of your business associate agreements and HIPAA Privacy Rule training to assure that patients’ requests to access their medical record and an organization’s ability to respond are prioritized by healthcare organizations and their business associates.”