The HHS’ Office for Civil Rights (OCR) has agreed to settle a HIPAA Right of Access enforcement action against Renown Health that stems from a failure to provide a patient with timely access to her medical records.
OCR received a complaint from a Renown Health patient in February 2019 who alleged Renown Health had not provided her attorney with a copy of her requested medical records within 30 days, as is required by the HIPAA Privacy Rule. The patient sent a request to Renown Health in January 2019 for an electronic copy of her protected health information, including billing records, to be sent to her attorney. The electronic records were eventually sent to her attorney, but not until December 27, 2019 – 11 months after the request was initially made.
The Right of Access provision of the HIPAA Privacy Rule requires patients to be provided with access to their medical records within 30 days of a request being made. OCR determined the delay in providing the records was in violation of the HIPAA Right of Access and that the violation warranted a financial penalty.
Renown Health agreed to settle the case and paid a $75,000 penalty and will adopt a corrective action plan to ensure its policies and procedures are compliant with this important HIPAA Privacy Rule provision. The corrective action plan requires policies and procedures to be developed and maintained covering the HIPAA Right of Access, for employees to be trained on those policies and procedures, and for sanctions to be applied when employees fail to follow procedures. OCR will monitor Renown Health for 2 years to ensure compliance.
The settlement is the fifteenth under OCR’s HIPAA Right of Access enforcement initiative, which was launched in late 2019, and the third settlement of 2021 to resolve alleged HIPAA violations.
“Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis,” said Acting OCR Director Robinsue Frohboese.