Biggest 'Right to Access Records' Penalty AnnouncedHHS Reveals Eighth Settlement; Includes $160,000 Fine, Corrective Action Plan
Federal regulators have issued their eighth - and by far the largest - HIPAA penalty for failure to provide timely access to a patient's health records.
In a Wednesday statement, the Department of Health and Human Services' Office for Civil Rights says Phoenix-based Dignity Health, which does business as St. Joseph's Hospital and Medical Center, agreed to take corrective actions and pay $160,000 to settle a case involving the HIPAA Privacy Rule's provision guaranteeing patients the right to access their records.
OCR's resolution agreement in the case follows five other settlements - ranging from $3,500 to $70,000 - that OCR announced last month involving complaints about records access (see: Fines Tied to Failure to Provide Patients With Records).
In addition, OCR announced two similar $85,000 settlements with Florida-based entities Bayfront Health St. Petersburg and Korunda Medical last fall. That announcement came after the agency announced its enforcement initiative for the HIPAA patient record access provision (see: HHS Lowers Some HIPAA Fines).
"This is a steady and ongoing effort by OCR, and the numbers are getting bigger," says privacy attorney Kirk Nahra of the law firm WilmerHale. "Covered entities need to be paying careful attention to access requests . This is a real issue with real risks."
OCR notes that, on April 25, 2018, it received a complaint from a mother alleging that, beginning in January 2018, she made multiple requests to St. Joseph's Hospital and Medical Center for a copy of her son's medical records as his personal representative.
"SJHMC provided some of the requested records, but despite the mother's follow-up requests in March, April and May 2018, SJHMC did not provide all of the requested records," OCR notes in its statement.
OCR determined that the hospital's actions were a potential violation of the HIPAA right of access standard. "As a result of OCR's investigation, SJHMC sent all of the requested medical records to the mother on December 19, 2019, more than 22 months after her initial request," OCR says.
"It shouldn't take a federal investigation to secure access to patient medical records, but too often that's what it takes when health care providers don't take their HIPAA obligations seriously," said Roger Severino, director of HHS OCR. "OCR has many right of access investigations open across the country and will continue to vigorously enforce this right to better empower patients."
Promptly providing individuals or their authorized representatives with copies of health information is more important than ever in light of ransomware incidents that can suddenly hinder an organization's access to patient records, Severino noted in a recent interview with Information Security Media Group.
"If you don't have [a copy of] the proper medical information ... you might not have the right diagnosis or a conflict in the medicines prescribed," he says.
"What happens if that information is locked down in a ransomware attack? That information is unavailable, and if you need the information in an emergency situation, you will not have it. And that could have life-and-death consequences."
Under the resolution agreement, the Arizona hospital has agreed to take a number of corrective actions, including:
- Developing and implementing written access policies and procedures;
- Distributing access policies and procedures to appropriate members of the workforce and relevant business associates;
- Providing training to all staff members and business associates who are involved in receiving or fulfilling access requests to ensure compliance with the policies and procedures;
- Applying appropriate sanctions against staff members who fail to comply with policies and procedures;
- Reviewing business associate performance with access requests and responses and terminating relationships with those who fail to comply with the procedures and policies.
"OCR has put healthcare organizations on notice that they should take a critical look at their policies, procedures and processes for how patients can request, access and obtain their protected health information," notes privacy attorney David Holtzman of consulting firm HITprivacy LLC.
"The agency has produced numerous guidance and audit assessment tools to assist covered entities in meeting HIPAA's requirements. When contracting with a business associate to provide patient access to their PHI, covered entities must ensure that their policies and procedures meet the privacy rule's standards," he says.
Dignity Health St. Joseph's Hospital and Medical Center did not immediately respond to ISMG's request for comment on the settlement.
In addition to these recent HIPAA settlements involving right of access cases, HHS earlier this year rolled out information blocking and health IT interoperability final rules called for under the 21st Century Cures Act.
Besides tackling health data exchange issues, the rules aim to improve patients' secure access to their health data.
That includes promoting the use of standardized application programming interfaces for patients to securely access information from electronic health records using smartphones and other mobile devices (see: ONC's Donald Rucker: More Work to Do on Health Data Privacy).
12th Settlement This Year
The resolution agreement with St. Joseph's Hospital and Medical Center is the twelfth HIPAA settlement issued by OCR so far this year.
The largest of those - a $6.8 million settlement with Premera Blue Cross - was issued last month in a case involving a 2014 hacking incident that exposed the protected health information of 10.4 million individuals.