Earlier in 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) revealed that one of the main focuses of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical data.
The HIPAA right of access permits patients to obtain copies of their medical records on request. HIPAA-covered entities must honor those requests and provide patients with access to PHI or copies of health data contained in a ‘designated record set’ within 30 days of the request being registered. A covered entity is allowed to charge a reasonable, cost-based fee for supplying a copy of the individual’s PHI, which can include the cost of certain labor, supplies and post costs.
HIPAA-covered groups that do not provide copies of records in a reasonable time frame or charge excessive amounts for supplying a copy of a patient’s PHI are in violation of the HIPAA Privacy Rule – See 45 CFR 164.501. Such breaches can result in a sizable financial penalty.
This week, OCR has revealed that the first settlement has been agreed with a HIPAA-covered entity under the new right of access initiative. Bayfront Health St. Petersburg, a 480-bed hospital in St. Petersburg, FL, has committed to paying OCR $85,000 to settle the case.
OCR kicked off an investigation into a possible HIPAA violation at Bayfront Health after receipt of a complaint from a patient on August 14, 2018. The patient alleged that she had asked for fetal heart monitor records from Bayfront Health St. Petersburg in October 2017. At the time of the complaint, 9 months following her request being made, she had still not been given a full copy of her records.
OCR said that the patient submitted the request on October 18, 2017 and was told by Bayfront Health that the records could not be located. Two further requests were submitted to Bayfront Health by the patient’s counsel on January 2, 2018 and February 12, 2018. In March 2018, Bayfront Health provided an incomplete set of records and a complete reply was only received on August 23, 2018. The patient’s counsel shared the records with the patient, but it took the intervention of OCR for the fetal heart monitor records to be given to the patient. Those records were given directly to the patient on February 7, 2019.
OCR ruled that the failure to provide access to the patient’s designated record set was a clear breach of 45 C.F.R. § 164.524 and that the HIPAA violation warranted a sizable fine.
OCR Director Roger Severino said: “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law. We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”
Along with the financial penalty, Bayfront Health has agreed to configure a corrective action plan and will be monitored by OCR for the following 1 year.
The latest enforcement measures – OCR’s third of 2019 – is the first action against a HIPAA-covered entity for a breach of the HIPAA right of access under the new scheme, but it is not the first time that OCR has issued a fine for such a breach. In 2011, Cignet Health of Prince George’s County was issued with a civil monetary fine of $4,300,000 for not giving patients access to their medical data.