OCR Announces 19th Right Of Access Settlement


With the official kickoff of summer only a few weeks away, the Office for Civil Rights (OCR) is getting some last minute spring cleaning in – announcing their latest HIPAA settlement with a practice whose Privacy Rule violations couldn’t be swept under the rug. Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) was handed a $5,000 fine and tasked with a two-year corrective action plan (CAP) to help clean up their “HIPAA mess” that started back in 2019.

Today’s fine marks the 19th Patient Right of Access settlement since the OCR officially announced their initiative two years ago. And ironically enough – around the same time that the government was declaring their focus on enforcing the standards around patient rights, DELC became a perfect example of just how many practices weren’t upholding them.

The incident began in July of 2019 when a parent requested access to her minor child’s health records. After DELC failed to take timely action in response to the request, a complaint was filed with the OCR in early August 2019. It wasn’t until the OCR got involved that the healthcare organization finally provided access, almost two whole years after the initial request.

Though the fine amount might seem on the lower end of what the OCR typically doles out, the corrective action plan has plenty of requirements to make up for it and just to name a few:

  • DELC must review and revise policies for individuals’ access to protected health information (PHI) and provide them to the Department of Health and Human Services (HHS) for approval.
  • Privacy training materials on individual access must be provided to the HHS for review within 60 days and upon approval, must be given to all workforce members annually.
  • The HHS must be provided with a list of all record access requests received by DELC every 90 days.
  • DELC is required to submit implementation and annual reports to the government and should maintain all documentation for up to six years from the effective date as the HHS can request records even after the CAP is completed.

This hefty “honey-do list” shows that the dollar amount doesn’t cover all the costs associated with violating HIPAA and proves why it’s so important to get your practice’s compliance efforts in order before an incident occurs.

So while DELC took longer to fulfill the request than it would to dust off every book in the Library of Congress, the OCR hasn’t delayed in performing quite a bit of housekeeping themselves. With 19 settlements and $1,093,500 collected on behalf of patient right of access violations, the OCR has stuck to their initiative and continued to sweep up any and all violators. And though the settlements all range in resolution amount, corrective action requirements, and organization size and specialty – the message has always been the same and was reiterated by Acting OCR Director Robinsue Frohboese in that, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records. Covered entities owe it to their patients to provide timely access to medical records.”

[View source.]

Written by:


Abyde on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.