HIPAA and Compliance News

Ohio Medical Center Pays OCR $65K for HIPAA Right of Access Failure

OCR reached a $65,000 settlement with the University of Cincinnati Medical Center, after failing to respond to a patient’s request for access to her medical records, as required by HIPAA.

HHS OCR HIPAA Privacy Rule violation Right of Access standard patient privacy compliance violation failure

By Jessica Davis

- The University of Cincinnati Medical Center in Ohio has agreed to a $65,000 settlement and a corrective action penalty with the Office for Civil Rights to resolve a potential violation of the HIPAA Privacy Rule’s right of access standard.

Announced in early 2019, OCR’s HIPAA Right of Access Initiative is designed to provide patients with support in obtaining timely access to their medical records for a reasonable fee.

The latest settlement is the twelfth enforcement action taken under the effort, and the third announced in the last month, joining settlements with a New York specialist and Riverside Psychiatric Medical Group.

The OCR enforcement action with UCMC stems from a May 2019 patient complaint filed with the agency, which alleged the provider failed to respond to a records request to send an electronic copy of the patient’s medical record, maintained in UCMC’s electronic health record, to her lawyers.

An investigation was launched, which found the medical center had indeed failed to provide a copy of the requested records in a timely fashion, a potential violation of HIPAA.

Under the privacy rule, covered entities “must transmit an individual’s PHI directly to another person or entity designated by the individual.”

“The individual’s request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI,” according to the Department of Health and Human Services. “A covered entity may accept an electronic copy of a signed request... an electronically executed request... that includes an electronic signature, or a faxed or mailed copy of a signed request.”

“The same requirements for providing the PHI to the individual, such as the timeliness requirements, fee limitations, prohibition on imposing unreasonable measures, and form and format requirements, apply when an individual directs that the PHI be sent to another person or entity,” HHS added.

As a result of the OCR investigation, the patient was provided the requested medical records in August 2019.

In addition to the civil monetary penalty, UCMC has agreed to enter into a corrective action plan, which includes two years of monitoring.

Under the CAP, the medical center is required to develop and maintain the written and policies and procedures for governing the privacy of protected health information, including the right of access standard.

The policies must also include an accurate definition of a designated records set, as defined by HIPAA, standardized procedures for responding to requests for access, and protocols for employee and business associate training for those involved with receiving or fulfilling patient data access requests.

UCMC must also develop training protocols for these policies to ensure compliance with HIPAA, as well as applying appropriate sanctions against UCMC workforce members who fail to comply with the regulation.

Lastly, the medical center must develop a process to review the performance of relevant business associates as it relates to access requests and responses, including sanction means for business associates who fail to comply with HIPAA.

Those policies must be submitted to HHS within 60 days for approval, or revision. All UCMC workforce members and relevant business associates must then be provided with the new policies and procedures, as well as training in order to understand compliance requirements.

“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice,” said OCR Director Roger Severino, in a statement. “HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records.”