The Department of Health and Human Services’ Office for Civil Rights (OCR) made an announcement early this year that HIPAA enforcement in 2019 would primarily be in the area of HIPAA right of access failures, such as the delayed responses to access requests and charging too much for copies of healthcare records.
The HIPAA right of access gives patients the right to request copies of their healthcare records. HIPAA-covered entities need to respond to the requests and give patients their copies of healthcare data within 30 days of receipt of the request. An entity is authorized to ask for a fair service charge in exchange for a copy of a person’s PHI, which may include the labor, materials and postage costs.
HIPAA-covered entities that are unable to deliver the copies of data in a reasonable period of time or impose excessive fees for the information are violating the HIPAA Privacy Rule (45 CFR 164.501). They can be issued a sizable financial penalty.
This week, Bayfront Health St. Petersburg, which is a 480-bed hospital located in St. Petersburg, FL agreed to pay OCR the amount of $85,000 to settle the first case under the right of access initiative.
OCR started investigating Bayfront Health for a potential HIPAA violation after receiving a patient complaint on August 14, 2018. Allegedly, the patient requested from Bayfront Health St. Petersburg a copy of her fetal heart monitor records in October 2017. Even after 9 months of submitting the request, the patient has not received a full copy of her records and so filed the complaint.
OCR affirmed that the patient requested her copy of medical records on October 18, 2017. Bayfront Health informed the patient that the records were missing. The patient’s counsel sent two more requests to Bayfront Health on January 2, 2018, and February 12, 2018. Bayfront Health gave a partial set of records in March 2018. A complete record was only obtained on August 23, 2018. The patient’s counsel provided the records to the patient, however, OCR had to intervene before the fetal heart monitor data could be given to the patient. The medical records were given to the patient directly on February 7, 2019.
OCR decided that the inability to give the patient’s medical record set violated HIPAA 45 C.F.R. § 164.524 and warranted a substantial financial penalty.
Besides the financial penalty, Bayfront Health decided to use a corrective action plan, which the OCR will monitor for the next 12 months.