Skip to main content

All Access Subscription

Get unlimited access to our full publication and article library.

Get Access Now

Interested in Group Sales? Learn more

AHC Media New Logo Transparent

Compliance Mentor - April 2016

Hospital Access Management - Hospital Case Management - Hospital Employee Health
Hospital Infection Control - Hospital Peer Review - Healthcare Risk Management
Case Management Advisor
- IRB Advisor - Medical Ethics Advisor - Same-Day Surgery

Second HIPAA Guidance Issued Clarifies Fees for Medical Record Copies

The Office of Civil Rights (OCR) has issued a fact sheet clarifying the fees patients may be charged for copies of their medical records. It also states that patients have the right to send medical records to a third party if they so choose.

According to OCR, patients can only be charged a reasonable cost-based fee for labor and supplies associated with making a copy. This includes paper and electronic copies provided on a CD or a flash drive. Labor for copying can include producing paper copies of the records and scanning them into electronic format, but cannot include reviewing the request for copies of the records, nor can it include the time in searching or retrieving the records. Labor costs may also include the time in uploading or transferring electronic protected health information (PHI) to a Web-based portal, email, smartphone app, portable media, or other method of delivery. Postage can be charged if the patient requests the records be mailed.

Many hospitals contract with third-party companies to process medical record requests. Administrative and other costs associated with outsourcing this function cannot be passed onto the patient. A flat fee can be charged for all standard requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage. Retrieval fees and other costs not permitted by the Privacy Rules cannot be charged, even if authorized by state law. A facility cannot refuse to give a patient a copy of their medical records because he or she has not paid a bill. Patients cannot be charged a fee if they want to view their medical records, or if they take notes or make copies using cell phones or other devices.

The hospital or other covered entity must inform the patient of the cost of the medical records in advance, according to OCR. The fact sheet also states the hospital or other covered entity should post on its website the approximate fees for regular types of access requests.


Olympus to Pay $646 Million in Largest Anti-kickback Settlement Ever

Imaging and medical equipment manufacturer Olympus agreed to pay a $646 million settlement for charges that it violated the False Claims Act and Anti-Kickback Statute – the largest Anti-Kickback settlement in history.

The company’s former compliance officer filed a whistleblower suit, claiming that the company paid kickbacks to healthcare providers in violation of the False Claims Act and the Anti-Kickback Statute in the form of grants, fellowships, consulting payments, free trips to Japan and other exotic locations, payment for recreational activities, no-charge loans, and free use of equipment. The action alleged that one physician received $400,000 in free endoscopes after he played a major role in persuading his hospital to purchase millions of dollars’ worth of Olympus products. The compliance officer was fired after he discovered the fraud and implemented a compliance program.

The Department of Justice (DOJ) charged Olympus with violating the Anti-Kickback Statute. The DOJ worked with the U.S. Attorney’s Office of the District of New Jersey. The case is United States ex rel. John Slowik et al. v. Olympus Corporation of the Americas, et al., Civ. No. 10-cv-5994 (D. N.J.)


Johnson & Johnson to Pay $502 Million over Hip Devices

A federal jury awarded five Texas patients $502 million dollars for injuries caused by defective hip replacement devices from Johnson & Johnson, including $142 million in compensatory damages and $360 million in punitive damages.

The verdict may affect similar lawsuits that have been filed by 7,000 patients. The plaintiffs alleged that the DePuy Orthopedic Ultamet metal-on-metal hip replacement spread metal debris into their bloodstreams. This caused major injuries in some patients, which necessitated additional surgeries.

To date, the device has not been recalled. The company announced several years ago that it would pay $2.5 billion dollars to settle lawsuits over a different line of failed metal-on-metal implants.

The jury found the devices defective, and that the company failed to warn physicians about the dangers. The company said it will appeal the decision.

The five cases are: Aoki v. DePuy Orthopedics, et al., No. 3:13-cv-01071-K; Christopher v. DePuy Orthopedics, et al., No. 3:14-cv-01994-K; Greer v. DePuy Orthopedics, et al., No. 3:12-cv-01672-K; Klusmann v. DePuy Orthopedics, et al., No. 3:11-cv-02800-K; and Peterson v. DePuy Orthopedics, et al., No. 3:11-cv-01941-K.

Stolen Laptops Lead to Multi-million-dollar HIPAA Settlements

The Feinstein Institute for Medical Research in Manhasset, NY, entered into a $3.9 million dollar settlement with the U.S. Department of Health and Human Services (HHS) after a laptop computer was stolen from an employee’s car.

The laptop contained patient names, dates of birth, addresses, Social Security numbers, diagnoses, lab results, medications, and other medical information of 13,000 patients. The institute lacked policies and procedures for authorizing staff access to electronic PHI, and failed to restrict access to authorized users.

In a related case, North Memorial Hospital Health Care of Minnesota agreed to a $1.55 million dollar settlement for a HIPAA violation. It is the first case for a hospital or covered entity to enter into a settlement for failure to execute a business associate agreement (BAA).

The investigation started in September 2011 after receipt of a breach report after an unencrypted, password-protected laptop that contained the PHI of more than 9,600 patients was stolen out of a locked car that belonged to an employee of a business associate. There was no business associate agreement. The hospital did not conduct a risk assessment, even though the business associate had access to about 290,000 patient medical records.

OCR announced that business associates will be targeted in its next round of privacy and security audits, and has contacted hospitals for information on their covered entities. Audits are conducted to verify hospitals and other covered entities are in compliance with HIPAA rules.

Hospitals and other covered entities should ensure they have appropriate business associates contracts signed and are following the HIPAA requirements related to business associates. HHS offers model business associate agreement language at:, as well as guidance on conducting a HIPAA Risk Analysis at: