The Office for Civil Rights (OCR) at the US Department of Health and Human Services announced its nineteenth settlement of an enforcement action in its HIPAA Right of Access Initiative. OCR announced this initiative to support individuals’ right to timely access of their health records at a reasonable cost under the HIPAA Privacy Rule.
A diabetes and endocrinology center (Center) agreed to take corrective actions and pay $5,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. The Center is a West Virginia based healthcare provider offering treatment for endocrine disorders.
In early August 2019, a complaint was filed with OCR alleging that the Center failed to take timely action in response to a parent’s records access request made in July 2019 for a copy of her minor child’s protected health information. OCR initiated an investigation and determined that the Center’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, the Center provided the requested records in May 2021, nearly two years after the parent’s request.
The Acting OCR Director stated, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records. Covered entities owe it to their patients to provide timely access to medical records.”
In addition to the monetary settlement, the Center will undertake a corrective action plan that includes two (2) years of monitoring.
A copy of the resolution agreement and the corrective action plan can be accessed here. Those using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing OCRMail@hhs.gov.
Compliance Perspective
Issue
It is essential that all healthcare workers understand HIPAA requirements, and how they must be followed to secure protected health information (PHI). The Privacy Rule allows access to information needed to ensure high quality healthcare for patients, and facilities must promptly provide requested information to authorized individuals. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Policy and Procedure.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates and timely response to requests from authorized individuals.
- Train all staff on HIPAA, PHI, and Privacy, including responding timely to requests for records, minimally upon hire and annually. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that facility’s policies and procedures for HIPAA, PHI, privacy, and record release are being followed by all staff, and that each person demonstrates understanding and competency.