Deeper Than the Headlines: The First-Ever HIPAA Right of Access Fine

When you think of all the reasons business associates and HIPAA-covered entities have entered into settlements and agreements with the Office for Civil Rights (OCR) if you’re like me, you probably think about breaches, or a lack of business associate agreements, or failure to perform a proper risk analysis, or weaknesses in policies, procedures and protections related to PHI. Afterall, until now there hadn’t been many (if any) cases involving a covered entity’s failure to provide timely and appropriate access to PHI when requested by a patient or their representative.

But that all recently changed when, in September 2019, the OCR announced its first settled case in its HIPAA Right of Access initiative. Earlier in the year, the OCR announced this initiative promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.

In this first case, Bayfront Health St. Petersburg (Bayfront) paid $85,000 to the OCR and adopted a corrective action plan to settle a potential violation of the Right of Access provision of the HIPAA Rules after Bayfront failed to provide a mother timely access to records regarding her unborn child.

According to the OCR investigation, which was based on a complaint from the mother, Bayfront provided the mother with the requested health information more than nine months after the initial request. The HIPAA Rules require covered healthcare providers to deliver medical records within 30 days of the request. This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child.

The OCR Director, Roger Severino, said that “providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law. We aim to hold the healthcare industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

In addition to the monetary settlement, Bayfront will undertake a corrective action plan that includes one year of monitoring by the OCR, which is no small undertaking. Many times, the obligations of the corrective action plan are more expensive and onerous than the initial investigation and settlement. By way of example, some of the requirements of the corrective action plan, which are typical of such agreements, include the following:

1. Bayfront shall develop, maintain, and revise, as necessary, its written access policies and procedures to comply with the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”).
2. Bayfront shall distribute the access policies and procedures to members of the workforce and relevant business associates within thirty (30) days of HHS approval of such revised policies, if any, and to new members of the workforce within thirty (30) days of their beginning of service.
3. Bayfront shall require, at the time of distribution of such revised policies and procedures, a signed written or electronic initial compliance certification from all appropriate members of the workforce and relevant business associates stating that the workforce members have read, understand, and shall abide by such policies and procedures.
4. Bayfront shall assess, update, and revise, as necessary, the policies and procedures at least annually or as needed. Within thirty (30) days of the effective date of any approved substantive revisions, Bayfront shall distribute such revised policies and procedures to members of its workforce and relevant business associates and shall require new compliance certifications.

The Policies and Procedures shall include, but not be limited to:

1. Review and update as necessary Bayfront’s Designated Record Set Policy contained within its Right of Access to PHI policy to ensure comprehensive responses to requests for records.
2. Protocols for training all Bayfront’s workforce members and business associates that are involved in receiving or fulfilling access requests as necessary and appropriate to ensure compliance with policies and procedure.
3. Application of appropriate sanctions against Bayfront workforce members who fail to comply with policies and procedures.
4. A process for reviewing business associate performance with regard to access requests and responses and terminating relationships with business associates who fail to permit Bayfront to comply with policies and procedures.
5. Designation of one or more individuals who are responsible for ensuring that Bayfront’s business associate agreement with any business associates involved in Bayfront’s access responsibilities under the Privacy Rule are properly executed.

Training

1. Bayfront shall provide training on any revised training materials for each workforce member and relevant business associate within sixty (60) days of HHS approval and annually thereafter. Bayfront shall also provide such training to each new member of the workforce or relevant new business associate within thirty (30) days of their beginning of service.
2. Each workforce member and relevant business associate who is required to attend training shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date training was received.
3. Bayfront shall review the training at least annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.

These requirements are good practices for any healthcare organization to follow, before you ever get to the point of a corrective action plan. As I’ve said before, there’s a lot to be learned from these types of settlements and corrective action plans. The real bottom line is this: make sure all requests for PHI are handled appropriately, promptly, and without overcharging for any fees associated with records’ requests. Otherwise, you could end up paying a hefty fine, just like Bayfront.