Healthcare Company Agrees to Pay $70,000 to Settle a HIPAA Right-of-Access Violation

A healthcare company located in California has agreed to take corrective actions and pay $70,000 to settle a potential violation of the HIPAA Privacy Rule’s right-of-access standard to the Office for Civil Rights (OCR). This is the sixteenth settlement of an enforcement action of OCR in its HIPAA Right-of-Access Initiative. The initiative is to support individuals’ rights to timely access of their medical records at a reasonable cost under the HIPAA Privacy Rule.

In June 2019, a compliant was filed with OCR alleging that the healthcare company failed to take timely action in response to a patient’s records request directing that an electronic copy of protected health information in an electronic health record be sent to a third party. OCR provided the California healthcare company with technical assistance on the HIPAA Right-of-Access requirements.

In August 2019, OCR received a second complaint alleging that the healthcare company still had not responded to the patient’s record access request. OCR initiated an investigation and determined that the healthcare company’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA Right-of-Access standard. As a result of the investigation, the healthcare company provided access to the requested records.

The involved company provides healthcare through four acute-care hospitals, three specialty hospitals, three affiliated medical groups, and a health plan. In addition to the monetary settlement, the company will undertake a corrective action plan that includes two years of monitoring.

Issue:

All appropriate members of the facility should be aware of the HIPAA Privacy Rule’s Right-of-Access standard that gives individuals the right to timely access of their medical record at a reasonable cost upon request. When a request for a medical record is made by an individual or a representative and is not addressed in a timely manner and at reasonable cost, this may be seen as a violation of HIPAA Privacy Rule Right-of-Access standard. The violation could result in monetary penalties and other corrective actions.

Discussion Points:

  • Review your policies and procedures for the HIPPA Privacy Rule, requests for copies of medical records, and the related fee structure to ensure they comply with current standards. Update policies as needed.
  • Train all appropriate staff on the HIPAA Privacy Rule and access standard for obtaining a medical record. Document that the trainings occurred, and file each signed training in employee’s education file.
  • Audit all requests for medical records to ensure that the requests were completed timely and at a reasonable cost.