OCR's First HIPAA Right of Access Enforcement Action
On September 9, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced the first enforcement action and settlement in its Right of Access Initiative (the “Initiative”). The Health Insurance Portability and Accountability Act (HIPAA) regulations provide patients with certain rights, including the right of access to their protected health information (with limited exceptions). The Initiative is focused on protecting the rights of patients under HIPAA to receive copies of their protected health information promptly and without being overcharged. OCR has indicated that it will “vigorously enforce” these rights, and the recent settlement illustrates this position.
In this settlement, Bayfront Health St. Petersburg (Bayfront) paid $85,000 to OCR and adopted a corrective action plan to settle a potential violation of HIPAA’s right of access provision. OCR alleged that Bayfront failed to provide a mother timely access to records about her unborn child. Parents are generally allowed access to their minor children’s health records under HIPAA, and covered entities are required to respond to such access requests within 30 days (or less, if required by state law). Here, Bayfront allegedly failed to provide the requested information until more than nine months after the initial request.
In a statement, OCR Director Roger Severino said, “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law. We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”
In addition to the financial penalty, Bayfront entered into a resolution agreement and corrective action plan. Under the one-year corrective action plan, Bayfront agreed to take the following actions, among others:
- Develop, maintain, and revise, as necessary, its written access policies and procedures to comply with the HIPAA Privacy Rule, including the patient right of access provision;
- Distribute the access policies and procedures to members of its workforce and relevant business associates and require a signed initial compliance certification stating that they have read, understand, and shall abide by such policies and procedures;
- Include protocols for (i) training all workforce members and business associates that are involved in receiving or fulfilling access requests as necessary and appropriate to ensure compliance with the policies and procedures, and (ii) reviewing business associate performance with regard to access requests and responses and terminating relationships with business associates who fail to permit Bayfront to comply with the policies and procedures;
- Provide training for each workforce member and relevant business associate within sixty (60) days of HHS approval of any revised training materials and annually thereafter; and
- Provide such training to each new member of the workforce or relevant new business associate within thirty (30) days of their beginning of service.
The above requirements of the corrective action plan are notable for the level of inclusion and training required to be provided to business associates. Such direct training of business associates is not expressly required under the HIPAA regulations and imposes an additional requirement on Bayfront. In addition, this settlement comes just over a year following the initial complaint received by OCR on August 14, 2018. The comparatively swift action further underscores the seriousness with which OCR appears to be taking the Initiative and potential violations of the patient right of access. Covered entities may wish to proactively review their policies and practices around the HIPAA right of access and address any area of vulnerability. For more information or assistance in reviewing policies and practices related to the right of access, please contact Carol Saul or Madison Pool.
- Madison M. Pool