On November 19, 2020, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) announced it had settled its 12th enforcement action in its HIPAA Right of Access Initiative (the “Initiative”). The Initiative is an OCR enforcement priority to ensure individuals can easily and timely access their health information at a reasonable cost under the Health Insurance Portability and accountability Act (“HIPAA”) Privacy Rule. There are have been several other Initiative settlements this fall including with Riverside Psychiatric Medical Group settling for $25,000; Dr. Rajendra Bhayani for $15,000; NY Spine Medicine for $100,000; and Dignity Health d/b/a St. Joseph’s Hospital and Medical Center for $160,000. Providers of all sizes and locations around the country have entered into settlements with OCR as a result of the Initiative.
In the most current settlement, the University of Cincinnati Medical Center, LLC (“UCMC”), an academic medical center providing services in the greater Cincinnati area, agreed to pay $65,000 and enter into a Corrective Action Plan (“CAP”) to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. On May 30, 2019, OCR received a complaint against UCMC alleging that UCMC failed to respond to a patient’s February 22, 2019 request to provide a copy of her medical records maintained in UCMC’s electronic health record to the complainant’s attorneys. OCR investigated and found that UCMC failed to timely provide a copy of the requested medical records in a potential violation of the HIPAA Rules, which include the right of patients to have electronic copies of records transmitted directly to a third party. The requested records were not provided until August 7, 2019. The settlement does not identify the reason for UCMC’s delay in providing the individual with a copy of her medical records.
In addition to the monetary settlement, UCMC entered into a CAP, which is not an admission of liability by UCMC. Under the CAP, UCMC is subject to two (2) years of monitoring and must complete each of the following:
- Develop, maintain, and revise its written right of access policies and procedures, to be submitted to HHS for review and approval;
- Distribute HHS-approved policies and procedures to all members of its workforce and its relevant business associates;
- Ensure policies and procedures include minimum content requirements set forth in the CAP;
- Provide HHS with the names of all UCMC business associates that receive, provide, bill for, or deny access to copies or inspection of records and copies of related business associate agreements;
- Promptly investigate any workforce member or business associate that may have failed to comply with the access requirements in UCMC policies and procedures or business associate agreements; and
- Submit for HHS review revised training materials and, upon receiving HHS’ approval, train workforce members utilizing the revised training materials.
Covered entities – regardless of their size – should take note of this settlement and the 11 that preceded it and appreciate that OCR is committed to the Initiative and to ensure individuals have timely access to their medical records upon request. Covered entities should review their HIPAA policies and procedures and ensure they are providing individuals or appropriate third parties with timely and complete medical records upon request and at a reasonable cost.