Electronic Healthcare Records , Governance & Risk Management , HIPAA/HITECH
HHS Issues Another Settlement on Patient Access to Records
13th Settlement in Ongoing Effort to Enforce HIPAA ProvisionFederal regulators have issued their 13th HIPAA settlement tied to failing to give a patient access to their records.
See Also: Identity Security Trailblazers - Health First
The $36,000 settlement and corrective action plan with Peter Wrobel, M.D., a vein specialist at Waycross, Georgia-based Elite Primary Care, was announced Tuesday by the Department of Health and Human Services’ Office for Civil Rights.
“Healthcare providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee,” says OCR Director Roger Severino.
Tardy Response
OCR says it received a complaint in April 2019 alleging that Elite Primary Care failed to respond to a patient's request for access to his medical records. In May 2019, OCR provided technical assistance to Elite on the HIPAA right of access requirements and closed the complaint.
But in October 2019, OCR received a second complaint alleging that Elite still had not provided the patient with access to his records. As a result of OCR’s second investigation, the patient finally received a copy of his records in May 2020, the agency says.
Since launching its initiative last year to ramp up enforcement of HIPAA’s requirement to provide patients with timely access to their records, OCR has issued a series of 13 HIPAA settlements with penalties ranging from $3,500 to $160,000.
Under the Elite Primary Care settlement’s corrective action plan, the practice must develop and distribute to staff written policies and procedures to comply with the right of access provision. It must also provide training to all workforce members that are involved in receiving or fulfilling records access requests.
Elite Primary Care did not immediately respond to an Information Security Media Group request for comment.
Tighter Deadlines Coming?
Under HIPAA, covered entities must within 30 days fulfill patients' requests for copies of their health information in the format of their choice.
But that deadline could eventually be even tighter. Under a proposal issued by OCR this month to modify the HIPAA Privacy Rule, the compliance timeframe could potentially be reduced to 15 days (see: HHS Reveals Proposed Changes to HIPAA Privacy Rule).