HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center

Share this article on:

The HHS’ Office for Civil Rights has announced its 18th HIPAA financial penalty of the year with the 12th fine under its HIPAA Right of Access enforcement initiative.

In 2019, OCR announced a new drive to ensure individuals are given timely access to their health records, at a reasonable cost, as mandated by the HIPAA Privacy Rule. It had become clear to OCR that healthcare providers were not always fully complying with this important HIPAA Privacy Rule provision and some patients were having trouble obtaining a copy of their medical records.

The latest financial penalty of $65,000 was imposed on the University of Cincinnati Medical Center, LLC (UCMC) and stemmed from a complaint received by OCR on May 30, 2019 from a patient who had sent a request to UCMC on February 22, 2019 asking for an electronic copy of the medical records maintained in UCMC’s electronic health record system to be sent to her lawyer.

The HIPAA Right of Access requires copies of medical records to be provided, on request, no later than 30 days after receipt of the request. 45 C.F.R. § 164.524 also states that an individual is permitted to have the requested records sent to a nominated third party, should they so wish.

The complaint was filed with OCR more than 13 weeks after the patient’s request. OCR intervened and UCMC finally provided the lawyer with the requested records on August 7, 2019, more than 5 months after the initial request was received.

After investigating the complaint, OCR determined UCMC had failed to respond to the patient’s request for a copy of her medical records in a timely manner and a financial penalty was deemed appropriate.

In addition to the financial penalty, UCMC is required to adopt a corrective action plan that includes developing, maintaining, and revising, as necessary, written policies and procedures to ensure compliance with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. Those policies must be reviewed by OCR and implemented within 30 days of OCR’s approval.

The policies must be distributed to all members of the workforce and appropriate business associates and the policies must be reviewed and updated, as necessary, at least annually. Training materials must also be created and supplied to OCR for approval, and training provided to appropriate members of the workforce on the new policies.

UCMC is required to provide OCR with details of all business associates and/or vendors that receive, provide, bill for, or deny access to copies or inspection of records along with copies of business associate agreements, and UCMC must report all instances where requests for records have been denied. OCR will monitor UCMC closely for compliance for 2 years from the date of the resolution agreement.

“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director, in a statement.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On