OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces the resolution of its twentieth investigation in its HIPAA Right of Access Initiative. OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.
Children’s Hospital & Medical Center (CHMC) has agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. CHMC is located in Omaha, Nebraska, and provides pediatric health care services.
In May 2020, a parent filed a complaint with OCR alleging that CHMC had failed to provide her with timely access to her minor daughter’s medical records. CHMC provided some records but did not provide all of the requested records to the parent’s multiple follow-up requests.
“We recommend all Covered Entities to invest time into reviewing and updating your Privacy Policies and Procedures to ensure your organization is adhering to the access requirements and is knowledgeable on the enhanced requirements surrounding the electronic availability of medical records to patients.”
Kensey Tickell, Edafio Healthcare and Cybersecurity Consultant, CPCO, HCISPP
OCR initiated an investigation and determined that CHMC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable). As a result of OCR’s investigation, the parent finally received all of the requested records.
“There is an increased focus from HHS on Privacy Compliance, in particular, on Patient’s Right of Access. With the enactment of the 21st Century Cures Act and the Information Blocking Rule, we anticipate this focus to increase,” said Healthcare Consultant, CPCO, HCISPP, Kinsey Tickell. “We recommend all Covered Entities to invest time into reviewing and updating your Privacy Policies and Procedures to ensure your organization is adhering to the access requirements and is knowledgeable on the enhanced requirements surrounding the electronic availability of medical records to patients.”
“Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative. OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right,” said Acting OCR Director Robinsue Frohboese.
In addition to the monetary settlement, CHMC will undertake a corrective action plan that includes one year of monitoring. A copy of the resolution agreement and corrective action plan may be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/chmc-ra-cap/index.html.
Our healthcare consulting team has decades of combined compliance experience in the healthcare industry. We work with numerous healthcare entities, business associates of covered entities, and other healthcare-related companies supporting their HIPAA compliance activities. When you talk, we listen and provide a tailored solution for your business needs. Our certified specialists are standing by to help. Contact us today.