Electronic Healthcare Records , Governance & Risk Management , HIPAA/HITECH
Hospital Fined for Slow Records Release
HHS OCR Says Case Is First in New 'Right to Access' InitiativeFederal regulators have slapped a Florida healthcare provider with an $85,000 HIPAA settlement for failing to provide a mother with timely access to fetal monitoring records.
See Also: How Enterprise Browsers Enhance Security and Efficiency
The Department of Health and Human Services’ Office for Civil Rights said its settlement with Bayfront Health St. Petersburg on Monday is the agency’s first enforcement action in its new “HIPAA right of access initiative.”
The agency earlier this year said it would vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged (see: HHS Lowers Some HIPAA Fines).
The enforcement action against Bayfront Health sends an important message, says privacy attorney Kirk Nahra of the law firm WilmerHale.
”This is something that covered entities, mainly doctors and hospitals … really need to get right,” he says. ”While the dollar amount [of the Bayfront settlement] isn’t enormous … this is a critical area for these entities in terms of their reputation.”
Earlier Case
But this is not the first time the agency has taken an enforcement action in a right to access complaint case.
OCR’s very first HIPAA civil monetary penalty case in 2011 revolved around a healthcare provider’s failure to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators.
In that case against Cignet Health of Prince George's County, Maryland, OCR levied a $4.3 million fine. OCR officials later confirmed that they did not collect the fine because Cignet eventually filed for bankruptcy.
New Settlement
Bayfront Health St. Petersburg is a level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians. OCR in a statement says it initiated its investigation based on an August 2018 complaint from the mother alleging that she requested her fetal heart monitor records from Bayfront Health starting in October 2017 and had not received them by the date of her complaint to the agency.
”As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request,” OCR says. The HIPAA rules generally require covered healthcare providers to provide medical records within 30 days of the request, and providers can only charge a reasonable cost-based fee, OCR says.
”This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child,” OCR adds.
Corrective Action Plan
In addition to paying the financial penalty, Bayfront Health has also agreed to a corrective action plan, OCR notes.
A resolution agreement in the case notes that Bayfront Health has agreed to:
- Develop, maintain and revise its written policies and procedures to comply with the HIPAA Privacy Rule’s right to access regulations;
- Provide those access policies and procedures to HHS for review within 60 days, then make necessary revisions within 30 days and implement those revised policies and procedures within 30 days;
- Distribute revised policies and procedures, and request a compliance certification from all appropriate members of the workforce and relevant business associates stating that they have read and will abide by such policies and procedures;
- Assess, update and revise its patient right to access policies and procedures at least annually or as needed;
- Review and update as necessary Bayfront’s “designated record set policy” to ensure comprehensive responses to requests for records;
- Provide training for all Bayfront’s workforce members and business associates who are involved in receiving or fulfilling access requests to ensure compliance with the policies and procedures.
OCR also notes that Bayfront’s corrective action plan includes one year of monitoring by the agency.
“Providing patients with their health information not only lowers costs and leads to better health outcomes - it’s the law,” OCR Director Roger Severino said in the statement. “We aim to hold the healthcare industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”
Bayfront Statement
In a statement provided to Information Security Media Group about the case that triggered the settlement, Bayfront Health notes: ”While we responded to the patient’s record requests, clerical errors unfortunately caused a significant delay in fulfilling the entire request for records. Delays in fulfilling requests for access to patient health information do not meet our service standards and we have sincerely apologized to the patient.”
"It is important to ensure that patients can exercise their rights and get their records in a secure way."
—Iliana Peters, Polsinelli
Bayfront Health says it’s committed to timely fulfillment of patient record requests. “Working with our release of information vendor, staff have been re-educated on processes, including escalation procedures when requested documents cannot be located. Our hospital has also added more oversight by health information management staff of records requests and processing to ensure patients receive accurate records in a timely manner.”
An Important Issue
Some privacy and security experts note that providing patients with timely access to records is important for several reasons, including making sure patients are active participants in their health treatment and helping them to guard against records errors or tampering.
“While I think this is not a huge area of noncompliance, it is an important one,” says privacy attorney Iliana Peters of the law firm Polsinelli who’s a former OCR official. “I believe that is why OCR is undertaking this enforcement initiative.”
In terms of patient complaints about accessing their records, “I actually hear most often that individuals want immediate access to their medical records, including through potentially unsecure applications, which is, obviously, not a HIPAA Privacy Rule issue, and could be, in fact, a problem under the HIPAA Security Rule,” she says. “So, as always, it is important to ensure that patients can exercise their rights and get their records in a secure way.”