University of Cincinnati Medical Center HIPAA Right of Access Failure Results in $65,000 Fine

The 18th HIPAA financial penalty of 2020,  the 12th fine under its HIPAA Right of Access enforcement initiative, has been revealed by HHS’ Office for Civil Rights.

The most recent HIPAA compliance fine of $65,000 was sanctioned against the University of Cincinnati Medical Center, LLC (UCMC) and grew out of a complaint submitted by OCR on May 30, 2019 from a patient who had issued a request to UCMC on February 22, 2019 seeking an electronic copy of the medical records held in UCMC’s electronic health record system to be sent to her legal counsel.

The HIPAA Right of Access states that copies of medical records to be handed over, on request, no more than 30 days following receipt of the request. 45 C.F.R. § 164.524 also states that an individual is allowed to have the requested records shared with a nominated third party.

The HIPAA complaint was submitted to OCR more than 13 weeks after the patient’s initial request. OCR investigated the complaint and UCMC finally supplied the lawyer with the requested documentation on August 7, 2019, more than 5 months after the initial request was submitted.

After looking into the complaint, OCR ruled that UCMC had not responded to the patient’s request for a copy of her medical records in a timely fashion and a financial penalty was deemed applicable.

Along with the fine, UCMC must implement a corrective action plan that includes creating, managing, and amending, as necessary, written policies and procedures to ensure compliance with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. Those policies must be reviewed by OCR and put in place within 30 days of OCR’s approval.

The policies must be shared to all members of the workforce and relevant business associates and the policies must be reviewed and updated, as necessary, at least on a yearly basis. Training materials must also be formulated and supplied to OCR for approval, and training given to appropriate members of the workforce on the new policies.

UCMC must hand over details of all business associates and/or vendors that receive, provide, bill for, or deny access to copies or inspection of records along with copies of business associate agreements to OCR. Also, UCMC must make known all instances where requests for records have been turned down. OCR will police UCMC closely for compliance for 2 years from the date of the resolution agreement.

Roger Severino, OCR Director, in an official statement said: “OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and

HIPAA training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records.

Author: Maria Perez