Hospital Pays $160,000 as OCR Settles Its Eighth HIPAA Right of Access Initiative Investigation

Saul Ewing Arnstein & Lehr LLP
Contact

Saul Ewing Arnstein & Lehr LLP

On October 7, 2020, the United States Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced it had settled its eighth enforcement action as part of its HIPAA Right of Access Initiative (the “Initiative”). The Initiative was announced in 2019 as OCR seeks to ensure individuals can easily and timely access their health information at a reasonable cost under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. In September 2020 OCR settled five investigations with five different providers under the Initiative.

Dignity Health d/b/a St. Joseph’s Hospital and Medical Center (“SJHMC”) agreed to take corrective actions and pay $160,000 to settle a potential violation of the HIPAA Privacy Rule. Based in Phoenix, Arizona, SJHMC is a large, acute care hospital with several hospital-based clinics. As part of the settlement and without admitting liability, SJHMC also adopted a corrective action plan (“CAP”).

In April 2018, OCR received a complaint from a patient’s mother alleging that she had requested her son’s medical records several times from SJHMC. While SJHMC provided some of the records, it did not provide all of the requested records, despite several follow-up requests. OCR investigated and found that SJHMC’s actions were a potential violation of the Initiative. As a result of the OCR investigation, SJHMC ultimately sent all of the requested medical records to the mother on December 19, 2019, more than twenty-two (22) months after her initial request.

Under the CAP, SJHMC will be subject to two (2) years of monitoring and agreed to do each of the following:

  • Develop, maintain, and revise its written access policies, subject to HHS review and approval;
  • Distribute the HHS-approved written access policies to members of its workforce and its relevant business associates;
  • Update its Designated Record Set Policy to ensure comprehensive responses to requests for records; and
  • Report to HHS any workforce member who materially fails to comply with the revised policies and procedures described above.

This enforcement action, along with the previous Initiative settlements, demonstrate the importance of complying with the HIPAA rules. OCR Director Roger Severino stated “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously. OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.” OCR clearly believes in the Initiative and every HIPAA-covered entity should as well. Covered entities should review their policies and procedures to ensure they are complying with HIPAA and providing patients with timely copies of medical records upon request at a reasonable cost.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing Arnstein & Lehr LLP | Attorney Advertising

Written by:

Saul Ewing Arnstein & Lehr LLP
Contact
more
less

Saul Ewing Arnstein & Lehr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.