The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently announced the 20th Resolution Agreement in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. In September 2019, OCR announced this initiative (see our prior article here) with its goal to enforce the rights of patients to receive copies of their medical records promptly and at a fair cost. Settlements, as a result of this initiative, have been reached with providers of varying sizes. Along with the monetary settlement, the Resolution Agreements each include a Corrective Action Plan and a monitoring period (generally one to two years).
In this 20th enforcement action, Children’s Hospital & Medical Center (CHMC), in Omaha, Nebraska, agreed to pay $80,000 and enter into a Corrective Action Plan to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. Under the HIPAA right of access standard, codified in 45 C.F.R. § 164.524, a covered entity is required to take action on an access request within 30 days of receipt (or within a maximum of 60 days if an extension applies). In the Resolution Agreement, OCR indicated that the potential noncompliant conduct was a failure to provide timely access to the Complainant’s late minor daughter’s records in their entirety following the Complainant’s request on January 3, 2020. Under HIPAA, a parent is a “personal representative” of a minor child and must be treated like a patient when exercising the right of access. At the time of the records request in January 2020, CHMC provided the personal representative with a portion of the requested records; however, the remaining records – housed in another CHMC division – were not received until June 20, 2020 and July 16, 2020, subsequent to the initiation of OCR’s investigation. This Resolution Agreement highlights that partial compliance does not meet the HIPAA Privacy Rule’s right of access standard, even when a request requires collecting records from various divisions of the covered entity.
The CHMC Corrective Action Plan includes a requirement to review and revise policies related to the right of access in compliance with HIPAA, and to provide those policies and related training materials to HHS for approval. CHMC must also distribute the approved policies to workforce members who must sign a compliance certification affirming review and understanding, and provide training to workforce members whose jobs relate to individual requests for records.
This Resolution Agreement yet again underscores the seriousness with which OCR views the patient’s right of access and the speed with which OCR is addressing complaints related to this right. Covered entities can take proactive measures to mitigate the risk of noncompliance and subsequent OCR investigation by taking some of the steps outlined in the CHMC Corrective Action Plan, including ensuring a cohesive approach to reviewing requests and producing records across divisions. More compliance tips and previous OCR settlements are discussed in detail here.
For more information, please contact Madison M. Pool or Kadeja A. Watts.