$65,000 Fine Issued for University of Cincinnati Medical Center Due to HIPAA Right of Access Failure

The HHS’ Office for Civil Rights issued its 18th HIPAA financial penalty of 2020 – the 12th fine issued under its HIPAA Right of Access enforcement initiative.

In 2019, OCR introduced a new effort to make sure people get timely access to their health information, at a fair cost, as mandated by the HIPAA Privacy Rule. This is because healthcare organizations were not generally fully following this crucial HIPAA Privacy Rule provision and some patients were having difficulty getting a copy of their medical files.

The most recent $65,000 financial penalty was charged to the University of Cincinnati Medical Center, LLC (UCMC). It was prompted by a complaint filed to OCR on May 30, 2019 by a patient who requested an electronic copy of health records from UCMC on February 22, 2019 to be sent to her lawyer.

Under the HIPAA Right of Access, medical providers must give copies of medical records, on request, no later than 30 days after receiving the request. 45 C.F.R. § 164.524 additionally says that an individual can have the requested records be sent to a chosen third party, if he or she so wish.

OCR received the complaint more than 13 weeks after the patient submitted a request. OCR intervened and UCMC eventually furnished the lawyer the requested files on August 7, 2019, 5 months after submitting the initial request.

After the investigation of the patient complaint, OCR established UCMC was unable to act on the patient’s request for a copy of her medical records promptly. Therefore, a financial penalty was judged as appropriate.

Besides the financial penalty, UCMC needs to follow a corrective action plan that consists of developing, maintaining, and changing, as needed, written policies and processes to make certain it complies with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. OCR will review those policies and implementation is necessary within 30 days of the approval of OCR.

The policies must be provided to all people in the workforce and relevant business associates. The policies should be evaluated and updated, as required, at least yearly. Training materials must moreover be produced and provided to OCR for approval, then training must be given to employees concerning the new policies.

UCMC must give OCR the data of all business associates and/or vendors that obtain, provide, bill for, or deny access to copies or check up of records together with copies of business associate agreements, and UCMC need to state all cases where requests for information have been refused. OCR is going to keep track of UCMC closely for 2 years from the date of the resolution agreement to check compliance.

OCR is committed to making sure that patients enjoy their right to access their health data, including the right to direct digital copies to a third party of their choosing. HIPAA covered entities ought to evaluate their policies and training packages to make sure they know and can meet all their HIPAA obligations whenever a patient requests access to his or her data.