$65,000 Fine Issued for University of Cincinnati Medical Center Due to HIPAA Right of Access Violation

The HHS’ Office for Civil Rights reported its 18th HIPAA financial penalty for 2020 – the 12th penalty given under the HIPAA Right of Access enforcement initiative.

In 2019, OCR launched a new initiative to make certain folks have quick access to their medical records, at a sensible fee, as governed by the HIPAA Privacy Rule. This is to address the fact that healthcare companies were not consistently fully adhering to this vital HIPAA Privacy Rule provision and a number of patients were having problems acquiring a copy of their medical documents.

The newest $65,000 financial fine was issued to the University of Cincinnati Medical Center, LLC (UCMC). It was brought about by a complaint submitted to OCR on May 30, 2019 by a patient who submitted a request for an electronic copy of health records from UCMC on February 22, 2019 to be delivered to her attorney.

As per the HIPAA Right of Access, healthcare companies need to produce copies of medical records, upon request, within 30 days of getting the request. 45 C.F.R. § 164.524 furthermore declares that a person is allowed to have the requested records be sent to a selected third party, when they so desire.

OCR got the complaint over 13 weeks following the patient filed a request. OCR got involved and UCMC at last gave the attorney the requested data on August 7, 2019, 5 months right after filing the preliminary request.

After looking into the patient complaint, OCR confirmed UCMC did not provide the patient’s requested copy of her medical records punctually. Hence, a financial penalty was deemed necessary.

Aside from the financial penalty, UCMC needs to undertake a corrective action plan that comprises creating, maintaining, and modifying, as required, written policies and operations to make sure it is compliant with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. OCR will evaluate those policies and enactment is required in 30 days of OCR’s approval.

The policies ought to be handed out to all individuals in the organization and relevant business associates. The policies have to be assessed and refreshed, as needed, at least every year. Training resources should likewise be developed and given to OCR for authorization, afterward training must be made available to staff regarding the new policies.

UCMC must present to OCR the information of all business associates and/or vendors that acquire, provide, pay for, or deny access to copies or evaluation of records coupled with copies of business associate agreements, and UCMC should record all occasions where requests for data were declined. OCR is going to keep an eye on UCMC closely for 2 years since the signing of the resolution agreement to ensure compliance.

OCR is determined to making certain that patients get their right to access their health data, such as the right to direct digital copies to a third party of their preference. HIPAA covered entities must analyze their policies and training systems to make certain they know and can accomplish all their HIPAA responsibilities when a patient wants access to his or her information.