For First Time Ever, Government Settles HIPAA Enforcement Action Alleging Violations of Right to Access Medical Records

Conor Duffy
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

On September 9, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had settled its first ever HIPAA enforcement action arising from alleged violations of the individual right to access health information under HIPAA. OCR entered into a settlement with Bayfront Health St. Petersburg (Bayfront) in response to allegations that it failed to provide a mother with timely access to medical records concerning her unborn child. Under the terms of a resolution agreement, Bayfront agreed to pay $85,000, and enter into a one year corrective action plan (CAP).

OCR initiated an investigation of Bayfront in response to a 2018 patient complaint. According to OCR’s investigation, the patient initially submitted a written request for fetal heart monitor records in October, 2017, and subsequently submitted follow-up requests through counsel in January and February of 2018. Bayfront allegedly did not provide a complete set of records to the patient’s counsel until August of 2018, and the patient reportedly did not receive the records directly until February, 2019. OCR’s investigation thus “indicated that Bayfront failed to provide access” to PHI about the patient in a designated record set, in accordance with 45 C.F.R. § 164.524. Bayfront did not admit liability as part of the resolution agreement.

Under the terms of the CAP, Bayfront is obligated to update its written access policies to comply with HIPAA, and provide HHS with access to those policies within 60 days for review and approval. The policies must include provisions addressing HIPAA’s right of access, as well as protocols for training of workforce members and sanctions for non-compliant workforce members. Bayfront will also be obligated to submit an implementation report within 120 days after receiving HHS approval of the policies and procedures, and an annual report that includes training materials on the new HIPAA policies and procedures, as well as attestations of compliance with the CAP’s requirements.

This enforcement action is part of OCR’s new “Right of Access Initiative” that is intended to “vigorously” ensure that patients are able to “receive copies of their medical records promptly and without being overcharged.” Health care providers and other entities subject to HIPAA would therefore be well-advised to review their policies and procedures for providing access to medical records, because potential violations of HIPAA’s right to access are under heightened governmental scrutiny at this time.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide