Pediatric Care Provider Fined $80,000 for HIPAA Right of Access Violation

A pediatric hospital in Omaha, NE has agreed to settle a Department of Health and Human Services’ Office for Civil Rights (OCR) HIPAA investigation and will pay a financial penalty of $80,000 to close the case.

The investigation was launched in response to a complaint from a patient who was not provided with a copy of her late daughter’s medical records in a timely manner. HIPAA gives individuals the right to obtain a copy of their health records and those of their minor children from HIPAA-covered entities such as hospitals. When a request is received, records must be provided to patients in paper or electronic form within 30 days of the request being received. In some cases, it is possible to extend the time by a further 30 days, such as if medical records cannot easily be obtained.

In this case, a parent sent a request to Children’s Hospital & Medical Center (CHMC) but only some of the requested records were provided. The parts of the medical records that were not provided were held at a different CHMC division. The initial request was submitted on January 3, 2020, and several follow up requests were made by the parent. CHMC provided some of the remaining records on June 20, 2020 and the remainder of the requested records were provided on July 16, 2020.

OCR investigated and confirmed that the delay in providing the records was a violation of the HIPAA Right of Access (45 C.F.R. § 164.524(b)). CHMC chose to settle the case with no admission of liability and pay a $80,000 penalty. Under the terms of the settlement, CHMC is also required to review and update its policies and procedures covering patient medical record access requests, distribute the records to the workforce, and provide training on the policies and procedures. OCR will monitor CHMC for compliance for a period of one year.

This is the 20th financial penalty to be imposed by OCR under its HIPAA Right of Access enforcement initiative. OCR launched the initiative in the fall of 2019 after becoming aware that many healthcare providers were failing to provide patients with their requested records.

The financial penalties are intended to send a message to healthcare providers that all patients must be provided with timely access to their medical records. Most of the financial penalties were imposed following receipt of a compliant from a single patient who was either impermissibly denied access to their health records, or were not provided with a copy of the requested records within 30 days.

“Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative,” said Acting OCR Director Robinsue Frohboese. “OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”

Author: Elizabeth Hernandez

Elizabeth Hernandez works as a reporter for Her journalism is centered on IT compliance and security. With a background in information technology and a strong interest in cybersecurity, she reports on IT regulations and digital security issues. Elizabeth frequently covers topics about data breaches and highlights the importance of compliance regulations in maintaining digital security and privacy. Follow on X: