HIPAA Fine Violation Spotlight

HIPAA Fines Charged For Security and Privacy Rule Violation

Earlier this year, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announce its Right of Access Initiative, which promised to vigorously enforce patients’ rights to access their medical records in a prompt manner without being overcharged. On September 9th, the OCR announced its first ever enforcement action and settlement over right of access.

Bayfront Health in St. Petersburg, Florida, a 480-bed hospital, was the subject of a complaint made in August, 2018 from a mother who had failed to receive the heart monitor records of her unborn child after making the initial request in October of 2017. As OCR launched its investigation Bayfront finally provided the records, nine months after the initial request was made. Under HIPAA law, providers are required to supply patients with their requested medical records within 30 days, while charging on a reasonable fee. This law also applies to legal guardians seeking the records of their minor children, or in this case, the prenatal records of a child.

This delay has cost Bayfront $85,000. In addition to the financial penalty, the settlement details that the hospital must adopt a corrective action plan that will involve extensive review and updating of their HIPAA policies, and submit to one year of monitoring by OCR. They will also be required to update these policies on a yearly basis.

Right of Access is a key part of HIPAA, as portability and accessibility is written into the acronym. While the law originally conceived of being able to obtain written copies of health records and then be free to take them to any health provider a patient wishes to see, with the advent of technology and electronic health records this became infinitely more complicated. Now, patients may wish to have records shared easily between doctors’ offices or entire networks as they visit specialists and varying hospitals. However, with the need to simultaneously protect PHI from unauthorized viewers, some organizations have either made the process purposefully difficult, or simply failed to find a way to streamline it. Yet the right of patients to access their health records in a manner that is appropriate (either digitally or on paper), in a timely manner, and at no extravagant cost, is written into law.

With OCR continuing on its Right of Access Initiative, it may be wise for all organizations to review their process for granting access requests to patients, as a failure to comply in a timely manner may not only result in a fine but a wider and broader investigation by OCR.