HHS OCR Issues 19th 'Right of Access' SettlementSmall Medical Practice Agrees to Pay Fine, Take Corrective Actions
In its 19th enforcement action involving a HIPAA "patient right of access" dispute, the Department of Health and Human Services smacked a small specialty medical practice with a financial fine and a supervised corrective action plan for failure to provide a parent with timely access to her child's medical records.
The HHS Office for Civil Rights in a statement Wednesday said Martinsburg, West Virginia-based Diabetes, Endocrinology & Lipidology Center Inc. has agreed to pay $5,000 and implement corrective actions to settle potential violations of the HIPAA patient right of access standard.
HHS OCR says the case centered on an August 2019 complaint filed with the agency, alleging the center failed to take timely action in response to a parent’s records access request made in July 2019, for a copy of her minor child’s protected health information.
OCR says it initiated an investigation into the parent's complaint and determined that the center’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard.
As a result of OCR's investigation, the center provided the requested records in May 2021, nearly two years after the parent’s request.
“It should not take a federal investigation before a HIPAA-covered entity provides a parent with access to their child’s medical records,” said Robinsue Frohboese, acting director of OCR, in the statement.
“Covered entities owe it to their patients to provide timely access to medical records.”
Under the resolution agreement signed with OCR, the center will take the following corrective actions:
- Revise its policies and procedures for individual access to protected health information;
- Implement those policies and procedures within 120 days upon OCR's approval of the revisions;
- Provide training materials to its workforce regarding the individual’s right of access to PHI;
- Submit to HHS a list of requests for access to PHI received by Diabetes, Endocrinology & Lipidology Center Inc., including the date the request was received, date the request was completed, format requested, format provided and cost;
- If the center denies any request for record access, in whole or in part, it must also submit to HHS all related documentation.
Diabetes, Endocrinology & Lipidology Center Inc. did not immediately respond to Information Security Media Group's request for comment.
OCR’s settlement with the small endocrinology practice, in which the healthcare provider agreed to pay a penalty and commit to a supervised corrective plan, "appears to mark a new approach for enforcement of the Privacy Rule’s standards for patient access to their health information," says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
Healthcare organizations should take notice "that HHS is serious" about providing patients with access to their health information promptly, he says.
Typically, OCR provides HIPAA-covered entities the opportunity to take "voluntary" corrective action to resolve complaints from patients over access to their health information, he notes.
"It is often three to five years from the time HHS launches its investigation to when a formal enforcement action results in a settlement or fixing a civil money penalty," he says.
"What is different is that OCR investigated and resolved this complaint with formal enforcement action in less than two years."
The financial payment by Diabetes, Endocrinology & Lipidology Center Inc. is among some of the smaller settlements issued by HHS OCR as part of the agency's patient right of access initiative launched in April 2019. Other settlements in such cases have ranged from $3,500 to $200,000.
"I do think the Biden admin will continue to pursue these [access] cases – it is an important issue and there is a rational approach that goes after these relatively straightforward cases even if they are small dollar cases," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"The administration continues to believe that patient access is really important and is part of a broader approach to overall healthcare."
Patient access issues are also top regulatory priorities for other HHS agencies beyond OCR.
For instance, new 21st Century Cures Act regulations from the Office of the National Coordinator for Health IT that promote patient access to their digital health records via smartphones and standardized application interfaces went into effect in April (see: New Regs Aim to Improve Patient Records Access, Sharing).
The resolution agreement with the endocrinology practice is OCR's sixth right of access settlement and eighth HIPAA enforcement action so far in 2021 (see: Why Clinical Lab HIPAA Settlement Is Significant).
OCR's largest settlement so far this year - $5.1 million - was announced in January with Excellus Health Plan. That settlement stemmed from a hacking incident reported in 2015 that affected 9.3 million individuals.