HIPAA Right of Access Failure Attracts $85,000 Financial Penalty

The HHS’ Office for Civil Rights has announced the first HIPAA settlement under its HIPAA Right of Access initiative that was launched earlier this year.

The HIPAA Privacy Rule gives patients the right to obtain a copy of their medical records contained in designated record sets maintained by their healthcare providers. This is an important right as it allows patients to obtain information that is important to their health and wellbeing and empowers them to make decisions about their health.

Patients can use their health records to monitor chronic health conditions, stick to their treatment plans, and it gives them the opportunity to find and correct errors in their records. It also makes it easier for patients to share their health records with third parties for research or with other healthcare providers.

HIPAA requires healthcare organizations to process these requests within 30 days of the request being received in writing. The records should be provided in the format requested by the patient, as far as is possible, and while patients can be charged for copies of their records, a covered entity is only permitted to impose a reasonable, cost-based fee.

Under the HIPAA Right of Access initiative, OCR is scrutinizing covered entities to make sure that this right is being upheld and health information is being provided in a reasonable time frame at a reasonable cost. The drive is certainly important, as one recent study revealed more than half of healthcare providers are failing to comply with the HIPAA Right of Access. Patients often have to make multiple requests and wait a long time before complete copies of medical records are provided.

In September, OCR announced that Bayfront Health St. Petersburg in Florida had settled its HIPAA Right of Access case and had agreed to pay OCR a financial penalty of $85,000. Bayfront Health also agreed to adopt a corrective action plan to address the areas of noncompliance discovered by OCR investigators.

OCR had launched an investigation following receipt of a complaint from a patient who had not been provided with a copy of the fetal heart monitor records of her child. HIPAA permits a parent to obtain the health records of their children, provided those individuals are still minors.

The patient first made the request to Bayfront Health on October 18, 2017 but, at the time of submitting the complaint to OCR on August 14, 2018, a complete set of records had still not been provided. It took until August 23, 2018 for the records to be supplied to her counsel – 9 months after the initial request had been made. It took until February 9, 2019 for the records to be provided to the patient directly, and only as a result of the OCR investigation.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” OCR Director Roger Severino, in an announcement about the settlement. “We aim to hold the healthcare industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

In addition to the financial penalty for a violation of the HIPAA Right of Access – 45 C.F.R. § 164.524 – Bayfront Health’s correction action plan requires the development, maintenance, and updating of policies and procedures to ensure compliance with this aspect of the HIPAA Privacy Rule.

A sanctions policy must be implemented and applied to employees who refuse to comply with patient requests for copies of their medical records, and training protocols must be established for employees and its business associates with respect to this HIPAA provision. Business associates’ performance in relation to PHI access requests must also be reviewed and any business associate that fails to comply with Bayfront Health’s new policies must have their business associate agreements terminated.