On February 12th, the United States Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced it settled its sixteenth enforcement action as part of its HIPAA Right of Access Initiative (the “Initiative”). The Initiative is an OCR enforcement priority with the goal to ensure individuals can easily and timely access their health information at a reasonable cost under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. This is OCR’s second settlement announced under the Biden Administration.
In this settlement, Sharp HealthCare d/b/a Sharp Rees-Stealy Medical Centers (“Sharp”) has agreed to pay $70,000 and implement a corrective action plan (“CAP”) to settle a potential violation of the HIPAA right of access standard. Sharp is located in California and provides health care through four acute-care hospitals, three specialty hospitals, three affiliated medical groups, and a health plan.
This settlement results from a June 2019 complaint filed with OCR alleging Sharp failed to respond to a patient’s April 2019 request directing that an electronic copy of protected health information in an electronic health record be sent to a third party recipient. As a result of the complaint, OCR provided Sharp with technical assistance regarding the HIPAA right of access requirements. OCR received a second complaint in August 2019 alleging Sharp still had not responded to the patient’s request. OCR’s investigation indicated that Sharp’s failure to provide timely access to the requested medical records resulted in a potential violation of the HIPAA right of access standard. After OCR’s investigation, Sharp provided access to the requested records in October 2019, four months after the initial complaint was filed and six months after the patient’s request for records.
Under the CAP, which did not result in an admission of liability, Sharp will be subject to two (2) years of monitoring by HHS and agreed to do each of the following:
- Review and revise Sharp’s policies and procedures to comply with federal standards governing privacy of individually identifiable health information under HIPAA, which are subject to HHS review and approval;
- Ensure the revised policies and procedures contain minimum content set forth in the CAP;
- Distribute the HHS-approved policies and procedures to all workforce members and provide proof of such distribution to HHS;
- Train workforce members utilizing the updated policies and procedures; and
- Report to HHS any workforce member who materially fails to comply with the revised policies and procedures described above.
This enforcement action, along with the previous Initiative settlements, demonstrate the continued importance of timely complying with the HIPAA regulations. Acting OCR Director Robinsue Frohboese stated, “patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.” Covered entities should review their HIPAA policies and procedures to ensure they are complying with HIPAA and providing patients with timely copies of medical records upon request and at a reasonable cost.