Biggest Fine Yet for Patient Records Access ViolationHHS OCR's 14th Settlement Calls for $200,000 Fine
In the latest move in its ongoing initiative to enforce a HIPAA provision granting patients the right to access their records, federal regulators have slapped an Arizona integrated healthcare system with a $200,000 fine for failing to provide two individuals with timely records access.
The settlement with Banner Health is the 14th - and costliest - such enforcement action taken by the Department of Health and Human Services' Office for Civil Rights since it launched the initiative in April 2019 (see: HHS Lowers Some HIPAA Fines).
Phoenix-based Banner Health, one of the largest U.S. healthcare systems, operates 30 hospitals as well as numerous primary care, urgent care and specialty care facilities.
In a Tuesday statement, HHS OCR says its settlement with Banner Health came after two complaints.
In the first complaint, a patient said she requested access to her medical records in December 2017 but did not receive the records until May 2018. The second complaint alleged that another individual requested access to an electronic copy of his records in September 2019, but the records were not sent until February 2020.
"This first resolution of the year signals that our right of access initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records," said Roger Severino, OCR director.
A 'New Turn'?
OCR's settlement with the Banner Health System marks "a new turn" in OCR's approach to enforcing the HIPAA Privacy Rule's standards for patient access to their health information, says privacy attorney David Holtzman of the consultancy HITprivacy LLC.
"Typically, OCR provides HIPAA-covered entities the opportunity to take voluntary corrective action to resolve complaints from patients over access to their health information," Holtzman notes.
In OCR's settlement with Banner, the agency documents that the Banner Health facilities fulfilled the patients' requests for their protected health information, "although the time in which the data was provided was greater than permitted by the privacy rule," he points out.
Under the HIPAA Privacy Rule, covered entities must act on an individual's request for access to their records within 30 calendar days. But proposed changes to the HIPAA Privacy Rule, issued in December, call for reducing that deadline to 15 days (see: HHS Reveals Proposed Changes to HIPAA Privacy Rule).
Under the resolution agreement signed by Banner, the organization must adopt a corrective action plan that requires it to review, revise and distribute to staff its written policies and procedures on access to medical records and provide training on compliance.
Banner Health did not immediately respond to Information Security Media Group's request for comment on the settlement.
"OCR's message in pursuing this enforcement action in these complaints highlights that healthcare providers must recognize that an individual's right to access their health information requires the provider to send the data to a third party when designated by the patient or their representative," Holtzman says.
Holtzman adds that he expects patient access to health records to continue to be a top priority of HHS under the Biden administration.
"Patients' access to their health records, as well as opening up avenues for consumers to direct health records to third parties, was a major goal of the 21st Century Cures legislation championed by then-Vice President Biden" during the Obama administration, he notes.
"Along with efforts to expand patient access to their health information through the [HHS] information blocking and interoperability regulations, I would expect that this will remain an area of focus in the new administration."
OCR has issued 13 other HIPAA settlements in patient records access cases, with penalties ranging from $3,500 to $160,000.
Regulatory attorney Paul Hales of the law firm Hales Law Group notes that OCR's 14 enforcement actions focused on the HIPAA Privacy Rule right of access provision "prompts one to ask, 'What about all the other standards?'"
HHS OCR's HIPAA audit report issued in December "laid bare our national failure to protect individual health information," he says. For instance, 86% of covered entities and 83% of business associates audited by OCR in 2016 and 2017 "failed to receive a passing score in the risk analysis audit," he notes.
"I look for HHS and the new OCR director [under the Biden administration] to make health information security a high priority," he says. He predicts that will include OCR resuming work on the HIPAA compliance audit program, as required since 2009 under the HITECH Act and started during the Obama administration but shelved for the last four years.