On June 2, 2021, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), announced that the Diabetes, Endocrinology & Lipidology Center, Inc., (DELC) agreed to pay $5,000, enter into a Resolution Agreement, and adopt a Corrective Action Plan (CAP) to settle a violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. According to its web page, DELC has one (1) health care provider and their sole office is located in Martinsburg, West Virginia. Two years ago, OCR announced the HIPAA Right of Access Initiative, which supports individuals’ right to timely and affordably access their health records. This OCR settlement is the nineteenth under the HIPAA Right of Access Initiative. The Resolution Agreement is not an admission of liability by DELC.
In July 2019, a parent made a request for a copy of her minor child’s protected health information. In August 2019, a complaint was filed with OCR alleging that DELC failed to take timely action in response to the parent’s records access request. On October 30, 2019, OCR notified DELC of its investigation.
The OCR investigation concluded that DELC failed to provide timely access to the requested medical records, which was a potential violation of the HIPAA right of access standard. The investigation prompted DELC to provide the requested records in May 2021, nearly two years after the parent’s request.
In addition to the monetary settlement, DELC entered into a CAP that includes two (2) years of monitoring by HHS and a requirement to do each of the following:
- Review and revise policies and procedures of individual access to PHI;
- Train all workforce members who have access to PHI on the revised policies and procedures within thirty (30) days of adopting such policies and procedures;
- Make a good faith effort to provide the complainant with access to the requested records, in whole or in part, and/or provide a denial, in whole or in part;
- Every ninety (90) days submit to HHS a list of requests for access to PHI and specific statistical information; and
- Promptly investigate reports of potential violations of the revised policies and procedures and, if a violation occurred, report such events to HHS
This nineteenth OCR settlement is an important reminder that providers of all sizes must provide timely access to medical records, consistent with the HIPAA rules. As noted by Acting OCR Director Robinsue Frohboese, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records…Covered entities owe it to their patients to provide timely access to medical records.”