OCR Settles Nineteenth Investigation in HIPAA Right Of Access Initiative

Saul Ewing Arnstein & Lehr LLP

On June 2, 2021, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), announced that the Diabetes, Endocrinology & Lipidology Center, Inc., (DELC) agreed to pay $5,000, enter into a Resolution Agreement, and adopt a Corrective Action Plan (CAP) to settle a violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. According to its web page, DELC has one (1) health care provider and their sole office is located in Martinsburg, West Virginia. Two years ago, OCR announced the HIPAA Right of Access Initiative, which supports individuals’ right to timely and affordably access their health records. This OCR settlement is the nineteenth under the HIPAA Right of Access Initiative. The Resolution Agreement is not an admission of liability by DELC.

In July 2019, a parent made a request for a copy of her minor child’s protected health information. In August 2019, a complaint was filed with OCR alleging that DELC failed to take timely action in response to the parent’s records access request. On October 30, 2019, OCR notified DELC of its investigation.

The OCR investigation concluded that DELC failed to provide timely access to the requested medical records, which was a potential violation of the HIPAA right of access standard. The investigation prompted DELC to provide the requested records in May 2021, nearly two years after the parent’s request. 

In addition to the monetary settlement, DELC entered into a CAP that includes two (2) years of monitoring by HHS and a requirement to do each of the following:

  • Review and revise policies and procedures of individual access to PHI;
  • Train all workforce members who have access to PHI on the revised policies and procedures within thirty (30) days of adopting such policies and procedures;
  • Make a good faith effort to provide the complainant with access to the requested records, in whole or in part, and/or provide a denial, in whole or in part;
  • Every ninety (90) days submit to HHS a list of requests for access to PHI and specific statistical information; and
  • Promptly investigate reports of potential violations of the revised policies and procedures and, if a violation occurred, report such events to HHS

This nineteenth OCR settlement is an important reminder that providers of all sizes must provide timely access to medical records, consistent with the HIPAA rules. As noted by Acting OCR Director Robinsue Frohboese, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records…Covered entities owe it to their patients to provide timely access to medical records.”

Written by:

Saul Ewing Arnstein & Lehr LLP
Contact
more
less

Saul Ewing Arnstein & Lehr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.