Electronic Healthcare Records , Governance & Risk Management , HIPAA/HITECH

Yet Another HIPAA Right to Access Records Fine Announced

It's the 12th Enforcement Action of Its Kind
Yet Another HIPAA Right to Access Records Fine Announced
University of Cincinnati Medical Center has settled a case involving a patient's right to access records.

Federal regulators on Thursday issued their 12th enforcement action tied to a case involving a patient’s right to access their records, as spelled out in HIPAA.

See Also: OnDemand | Making the Connection Between Cybersecurity and Patient Care

The Department of Health and Human Services’ $65,000 financial settlement and corrective action plan with the University of Cincinnati Medical Center comes after a patient alleged that the organization failed to comply with her request to have an electronic copy of her medical records sent to a third party.

The Complaint

In a statement, the HHS Office for Civil Rights says that in May 2019, it received a complaint alleging that UCMC failed to respond to a patient’s Feb. 22, 2019, records access request directing UCMC to send an electronic copy of her medical records to her attorneys.

OCR says its investigation determined that UCMC failed to promptly provide a copy of the requested medical records in potential violation of HIPAA, which gives patients the right to have copies of electronic health records transmitted directly to a third party.

As a result of OCR’s intervention, the patient received all of the requested medical records in August 2019, the agency says.

“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice,” says Roger Severino, OCR director. “HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records.”

Corrective Action Plan

HHS OCR’s resolution agreement with UCMC requires the medical center to take corrective actions, including:

  • Develop, maintain and revise, its written policies and procedures to comply with the HIPAA Privacy Rule, including standardized procedures for responding to patient requests for access to their designated record set;
  • Implement those policies and procedures and distribute them to all members of its workforce and relevant business associates;
  • Provide training to UCMC’s workforce members who are involved in the maintaining of designated record sets and other protected health information to ensure compliance with the policies and procedures;
  • Apply appropriate sanctions against UCMC workforce members who fail to comply with those policies and procedures;
  • Develop and implement a process for reviewing business associate performance with regard to access requests and responses and sanctioning those who fail to permit UCMC to comply with its HIPAA policies and procedures.

UCMC did not immediately respond to Information Security Media Group’s request for comment on the settlement.

Other Cases

Last week, HHS OCR issued its 11th HIPAA settlement involving a patient right of access to records complaint case. Rajendra Bhayani, M.D., of Queens, New York, agreed to pay a $15,000 penalty and also adopt a corrective action plan.

The agreement with UCMC is the 17th HIPAA settlement of any type announced by OCR so far this year. Those HIPAA settlements include a total of nearly $13.5 million in penalties.

The largest of OCR's HIPAA enforcement actions so far this year was a $6.8 million settlement announced in September with Premera Blue Cross in a case involving a 2014 data breach that exposed information on 10.4 million individuals.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.