According to the HHS’ Office for Civil Rights (OCR), a settlement agreement has been negotiated with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) in relation to a possible HIPAA Right of Access breach.
DELC is a West Virginia-based healthcare supplier that focuses on treating endocrine disorders. In August 2019, a complaint was submitted to OCR which claimed that DELC had breached HIPAA when it didn’t respond to a request for a copy of protected health information within the permitted time limit. HIPAA-covered entities are given a maximum of 30 days to provide a copy of an individual’s protected health information contained in a designated record set. If that maximum time limit is exceeded, financial penalties can be applied.
On this occasion, the complainant requested a copy of her minor child’s protected health information and DELC did not fulfill this request inside the the permitted time period. DELC was made aware of the investigation into potential noncompliance with the HIPAA Right of Access (45 C.F.R. § 164.524) in relation to the alleged refusal to provide the patient’s mother with the records she requested on October 30, 2019.
Following the investigation, OCR ruled that failing to provide the requested records represented a breach of the HIPAA Right of Access. Following OCR’s investigation, DELC provided a copy of the requested records the child’s mother in May 2021, almost two years after the initial request had been submitted.
Along with to the HIPAA fine of $5,000, DELC has committed to implementing a range of remediation steps to ensure compliance with the HIPAA Rules, including reviewing and updating policies and processes for access to PHI and privacy training for the workforce on individual access to PHI. DELC will be closely policed by OCR for the next 24 months to make sure the Right of Access provisions of the HIPAA Privacy Rule are followed.
Acting OCR Director Robinsue Frohboese said, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records. Covered entities owe it to their patients to provide timely access to medical records.”
This action is the 8th financial penalty imposed by OCR in 2021 to address HIPAA Rule breaches.