OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure
The Department of Health and Human Services’ Office for Civil Rights has announced its 12th HIPAA penalty of 2020 and its 8th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records.
On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights.
OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018.
SJHMC did respond to the requests and provided some, but not all, of the requested records. The mother made contact with SJHMC again on May 2, May 10 and May 15, 2018 to request the records that had not been provided. SJHMC responded and sent additional records, but not the specific records that had been requested. It took until December 19, 2019 for SJHMC to provide all the records she had requested – 22 months after the initial request had been sent.
3 Steps To HIPAA Compliance
Please see HIPAA Journal
- Step 1 : Download Checklist.
- Step 2 : Review Your Business.
- Step 3 : Get Compliant!
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.
SJHMC agreed to pay the $160,000 financial penalty to settle the case with no admission of liability. SJHMC will also adopt a corrective action plan to address all areas of noncompliance and will be monitored for compliance by OCR for two years.
“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously. OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.