Yet Another HIPAA Right to Access Records Fine AnnouncedIt's the 12th Enforcement Action of Its Kind
Federal regulators on Thursday issued their 12th enforcement action tied to a case involving a patient’s right to access their records, as spelled out in HIPAA.
The Department of Health and Human Services’ $65,000 financial settlement and corrective action plan with the University of Cincinnati Medical Center comes after a patient alleged that the organization failed to comply with her request to have an electronic copy of her medical records sent to a third party.
In a statement, the HHS Office for Civil Rights says that in May 2019, it received a complaint alleging that UCMC failed to respond to a patient’s Feb. 22, 2019, records access request directing UCMC to send an electronic copy of her medical records to her attorneys.
OCR says its investigation determined that UCMC failed to promptly provide a copy of the requested medical records in potential violation of HIPAA, which gives patients the right to have copies of electronic health records transmitted directly to a third party.
As a result of OCR’s intervention, the patient received all of the requested medical records in August 2019, the agency says.
“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice,” says Roger Severino, OCR director. “HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records.”
Corrective Action Plan
HHS OCR’s resolution agreement with UCMC requires the medical center to take corrective actions, including:
- Develop, maintain and revise, its written policies and procedures to comply with the HIPAA Privacy Rule, including standardized procedures for responding to patient requests for access to their designated record set;
- Implement those policies and procedures and distribute them to all members of its workforce and relevant business associates;
- Provide training to UCMC’s workforce members who are involved in the maintaining of designated record sets and other protected health information to ensure compliance with the policies and procedures;
- Apply appropriate sanctions against UCMC workforce members who fail to comply with those policies and procedures;
- Develop and implement a process for reviewing business associate performance with regard to access requests and responses and sanctioning those who fail to permit UCMC to comply with its HIPAA policies and procedures.
UCMC did not immediately respond to Information Security Media Group’s request for comment on the settlement.
Last week, HHS OCR issued its 11th HIPAA settlement involving a patient right of access to records complaint case. Rajendra Bhayani, M.D., of Queens, New York, agreed to pay a $15,000 penalty and also adopt a corrective action plan.
The agreement with UCMC is the 17th HIPAA settlement of any type announced by OCR so far this year. Those HIPAA settlements include a total of nearly $13.5 million in penalties.
The largest of OCR's HIPAA enforcement actions so far this year was a $6.8 million settlement announced in September with Premera Blue Cross in a case involving a 2014 data breach that exposed information on 10.4 million individuals.