OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative
The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019.
Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year.
The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making the maximum time for providing records 60 days from the date the written request for access is received.
When individuals feel their HIPAA rights have been violated, they cannot take legal action against a HIPAA-covered entity for a HIPAA violation, but they can file a complaint with OCR. In this case, OCR received a complaint from a parent who alleged CHMC had not provided her with timely access to her minor daughter’s medical records.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CHMC received the parent’s request and provided some of her with some of her daughter’s medical records but did not provide all the requested information. The parent also made several follow-up requests to CHMC. OCR investigated and confirmed the parent requested a copy of her late daughter’s medical records in writing on January 3, 2020. Some of the requested records were provided; however, the remainder of the records needed to be obtained from a different CHMC division. Some of the remaining records were provided on June 20, 2020, with the rest provided on July 16, 2020. OCR determined this was in violation of the HIPAA Right of Access – 45 C.F.R. § 164.524(b).
In addition to the financial penalty, CHMC must review and update its policies and procedures related to the HIPAA Right of Access, provide the policies to OCR for assessment, and distribute the approved policies to the workforce and ensure training is provided.
“Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative,” said Acting OCR Director Robinsue Frohboese. “OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”
