Healthcare Organization Fined Over Medical Records

The Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) recently announced it was taking action against Korunda Medical, a pain management provider. HIPAA, the law mandating and enumerating a patient’s right to privacy, was enacted in 1996. However, the parts of this law that require providers to render patients’ copies of their medical records in a timely and affordable manner were not actually enforced until now.

Background on the Law

Part of the 1996 HIPAA law mandates that medical providers furnish patients with records no less than 30 days after a request is made. Providers must also ensure patients be charged no more than the cost of making a copy of the records. The OCR found that Korunda not only failed to comply with this section of the law, but continued to neglect its responsibilities even after the government offered its assistance. After the OCR began its investigation, Korunda gave patients their medical records for free.

The Settlement

The case follows another recent action taken against a different Florida provider, Bayfront Health of St. Petersburg, in September. Bayfront was required to pay $85,000 and submit a corrective action plan.

The HHS forced a similar settlement on Korunda by which it agreed to pay $85,000 to its patients to settle the charges. Although the pain center accepted no wrongdoing on its part, it did agree to institute “corrective actions.” These included mandatory employee retraining and a fee for providing patients with their records that directly corresponds to the cost and labor involved.

As part of its settlement agreement, Korunda will be required to

  • Make regular reports to the HHS every 90 days regarding patients who requested their medical records
  • Report any HIPAA violations within 30 days of their discovery

HHS will be monitoring Korunda for the entire next year. “For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia,” said director of the Office for Civil Rights Roger Severino in a press release. “We hope our shift to the imposition of corrective actions and settlements under our right to access initiative will finally wake up healthcare providers to their obligations under the law.”

The Need for Compliance

We have entered a brave new world of privacy regulations. After the advent of personal computing and the internet did so much to erode personal privacy, the governments of the world have, somewhat belatedly, begun to respond. Older laws are being enforced for the first time, and newer ones (like the GDPR in Europe) are being passed left and right.

Secure Data has the tools that medical providers need to keep up with this fast-changing world. Our hardware encrypted and HIPAA compliant SecureUSBs are an ideal way to store medical patient data. Not only are they physically impossible to hack, they are user-friendly as OS independent devices with secure authentication methods. Sending patient data would be as easy as plugging in the device to a hospital computer to send or store patient records. In fact, the SecureUSB with patient records could simply be handed to the patient, ensuring only the doctor and patient had access to the records.

For more information on how our hardware encrypted storage can help keep your healthcare organization in line with HIPAA rules and regulations, call 1-800-875-3230.