Korunda Medical fined $85,000 Penalty for HIPAA Right of Access Failures


The Department of Health and Human Services’ Office for Civil Rights has revealed its second enforcement penalty has been applied under its HIPAA Right of Access Initiative. Florida-based Korunda Medical has committed to settling possible breaches of the HIPAA Right of Access and will implement a corrective action plan and bring its policies and procedures in line with the obligations of the HIPAA Privacy Rule.

In March 2019, OCR was sent a complaint from a patient who alleged she had not been given a copy of her medical records in the requested electronic format despite making a number of requests. The complainant claimed that Korunda Medical would not to send an electronic copy of her medical records to a third party and was overcharging patients for supplying copies of their medical records. Under HIPAA, covered groups are only allowed to charge a reasonable, cost-based fee for supplying access to patients’ protected health information.

The initial complaint was submitted with OCR on March 6, 2019. On March 18, 2019, OCR provided technical help to Korunda Medical on the HIPAA Right of Access and shut off the complaint. Four days later, a second complaint was sent which showed continued noncompliance with the HIPAA Right of Access. On May 8, 2019, OCR advised Korunda Medical that a compliance investigation had been initiated. Due to this OCR intervention, the complainant was given with a copy of her medical records free of charge. Continued noncompliance with the HIPAA Right of Access resulted in a $85,000 finey for Korunda Medical.

OCR Director, Roger Severino said: “For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law”.

The HIPAA Right of Action Initiative is a HIPAA enforcement drive to see to it that HIPAA-covered entities are supplying patients with copies of their medical records in a timely fashion, in the format of their choosing, and without being overcharged. The original enforcement action under this initiative was revealed in September 2019. Bayfront Health St Petersburg was also directed to pay a financial penalty of $85,000 to settle HIPAA Right of Access failures.

This represents the ninth HIPAA enforcement action of 2019. OCR has settled 8 HIPAA violation cases in 2019 and has issued one civil monetary penalty, with the financial penalties varying from $10,000 to $3 million. So far in 2019, $12,209,000 has been paid to OCR to resolve HIPAA breaches.