The Department of Health and Human Services’ Office for Civil Rights (OCR) is moving forward with its campaign to stop noncompliance with the HIPAA Right of Access. OCR reported its fifteenth settlement this week that resolved a HIPAA Right of Access enforcement action.
Renown Health, a Northern Nevada non-profit healthcare network, agreed to pay a financial penalty of $75,000 for its HIPAA case with OCR in order to take care of its potential HIPAA Right of Access violations.
OCR started an investigation after a Renown Health patient submitted a complaint about not receiving an electronic copy of her protected health information (PHI). The patient submitted her request to Renown Health in January 2019 indicating that her medical and billing information be provided to her lawyer. After over a month of waiting, no records were provided and so the patient submitted to OCR her complaint. Renown Health only provided the requested records on December 27, 2019, after nearly a year of making the initial request.
Under the HIPAA Privacy Rule (45 C.F.R. § 164.524), medical records must be given to the requesting party within 30 days of receiving the request. OCR established that the long wait in giving the requested information violated the terms of this Privacy Rule.
Besides paying the financial fine, Renown Health has consented to follow a corrective action plan. It has to develop, maintain, and revise, as needed, the company’s written policies and procedures making sure that they cover the HIPAA Right of Access. Employees must be provided with HIPAA training about the policies and procedures. A sanctions policy should be enforced when employees are not able to adhere to the policies and procedures. Renown Health is going to be under OCR’s supervision for two years to ensure compliance with the HIPAA Right of Access.
Giving patients access to their health records is an important HIPAA right. Health care providers are legally under obligation to provide their patients access to their health records promptly.
The above-mentioned settlement is OCR’s third announcement in 2021. The first two involved Banner Health paying a $200,000 settlement for the same HIPAA Right of Access violation and Excellus Health Plan paying a $5,100,000 penalty to settle multiple HIPAA violations that resulted in a 9,358,891-record data breach in 2015.