On October 7, 2020, the United States Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced it had settled its eighth enforcement action as part of its HIPAA Right of Access Initiative (the “Initiative”). The Initiative was announced in 2019 as OCR seeks to ensure individuals can easily and timely access their health information at a reasonable cost under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. In September 2020 OCR settled five investigations with five different providers under the Initiative.
Dignity Health d/b/a St. Joseph’s Hospital and Medical Center (“SJHMC”) agreed to take corrective actions and pay $160,000 to settle a potential violation of the HIPAA Privacy Rule. Based in Phoenix, Arizona, SJHMC is a large, acute care hospital with several hospital-based clinics. As part of the settlement and without admitting liability, SJHMC also adopted a corrective action plan (“CAP”).
In April 2018, OCR received a complaint from a patient’s mother alleging that she had requested her son’s medical records several times from SJHMC. While SJHMC provided some of the records, it did not provide all of the requested records, despite several follow-up requests. OCR investigated and found that SJHMC’s actions were a potential violation of the Initiative. As a result of the OCR investigation, SJHMC ultimately sent all of the requested medical records to the mother on December 19, 2019, more than twenty-two (22) months after her initial request.
Under the CAP, SJHMC will be subject to two (2) years of monitoring and agreed to do each of the following:
- Develop, maintain, and revise its written access policies, subject to HHS review and approval;
- Distribute the HHS-approved written access policies to members of its workforce and its relevant business associates;
- Update its Designated Record Set Policy to ensure comprehensive responses to requests for records; and
- Report to HHS any workforce member who materially fails to comply with the revised policies and procedures described above.
This enforcement action, along with the previous Initiative settlements, demonstrate the importance of complying with the HIPAA rules. OCR Director Roger Severino stated “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously. OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.” OCR clearly believes in the Initiative and every HIPAA-covered entity should as well. Covered entities should review their policies and procedures to ensure they are complying with HIPAA and providing patients with timely copies of medical records upon request at a reasonable cost.