OCR Issues 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

The 20th financial penalty under the HIPAA Right of Access enforcement initiative has been issued by the Department of Health and Human Services’ Office for Civil Rights (OCR).

Pediatric care provider Children’s Hospital & Medical Center (CHMC) based in Omaha, Nebraska, was required to pay a penalty fee of $80,000 to resolve an alleged HIPAA Right of Access violation and to perform a corrective action plan to take care of the non-compliance found by OCR. OCR will check CHMC’s compliance for one year.

The Privacy Rule of the Health Insurance Portability and Accountability Act provided persons the right to get a copy of their protected health information (PHI) saved by a HIPAA-covered entity, and for parents and legal guardians to acquire a copy of the healthcare data of their minor children. HIPAA-covered entities should give the requested documents within 30 days and may only impose a reasonable cost-based fee for furnishing copies. On several occasions, covered entities could get a 30-day extension, making the maximum time frame for giving the files 60 days from the date the request is gotten.

If people feel their HIPAA rights were violated, they are unable to take legal action against a HIPAA-covered entity regarding the HIPAA violation, nevertheless, they can report a complaint to OCR. In this case, OCR received a complaint from a parent who stated CHMC did not provide her prompt access to her young daughter’s health data.

CHMC got the parent’s request and gave some of her daughter’s medical information but failed to deliver all the requested records. The parent likewise made a few follow-up requests to CHMC. OCR reviewed the incident and confirmed the parent’s request for a copy of her late daughter’s health information on January 3, 2020. A few of the requested files were furnished; nevertheless, the remaining data needed to be acquired from some other CHMC division. A number of the remaining files were delivered on June 20, 2020, with the remainder presented on July 16, 2020. OCR established that this was a HIPAA Right of Access – 45 C.F.R. § 164.524(b) violation.

Aside from the financial charges, CHMC needs to review and update its guidelines and procedures connected to the HIPAA Right of Access, present the policies to OCR for evaluation, and deliver the approved policies to the staff and make certain training is made available.

In general, HIPAA necessitates covered entities to give parents timely access to their minor children’s medical data, if the parent is the child’s personal representative, stated Acting OCR Director Robinsue Frohboese. OCR’s Right of Access Initiative sustains patients’ and personal representatives’ essential right to their health information and highlights the benefit of all covered entities’ conformity with this vital right.