The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued the HIPAA Right of Access enforcement initiative’s 20th financial penalty.
Pediatric care provider Children’s Hospital & Medical Center (CHMC) located in Omaha, Nebraska, was instructed to pay a fine of $80,000 to settle an alleged HIPAA Right of Access violation and to undertake a corrective action plan to handle the noncompliance uncovered by OCR. OCR will supervise CHMC’s compliance for a period of one year.
The Privacy Rule of the Health Insurance Portability and Accountability Act offered people the right to acquire a copy of their protected health information (PHI) kept by a HIPAA-covered entity, and for parents and legal guardians to get a copy of the health data of their minor children. HIPAA-covered entities need to give the requested information in 30 days and could only demand a fair cost-based amount for giving copies. In a number of instances, covered entities may request for a 30-day extension, making the maximum period for delivering the data 60 days from the time the written request for access is obtained.
Whenever individuals think their HIPAA rights were violated, they could not file a lawsuit against a HIPAA-covered entity with regard to the HIPAA violation, however, they can submit a complaint to OCR. In this instance, OCR got a complaint from a parent who claimed CHMC did not give her prompt access to her minor daughter’s health information.
CHMC acquired the parent’s request and presented some of her daughter’s medical information but didn’t deliver all the requested data. The parent additionally made a number of follow-up requests to CHMC. OCR looked into the case and affirmed the parent’s written request for a copy of her late daughter’s health data on January 3, 2020. A few of the requested information was given; nonetheless, the rest of the files needed to be secured from another CHMC department. A number of the remaining documents were given on June 20, 2020, with the others given on July 16, 2020. OCR decided that this violated the HIPAA Right of Access – 45 C.F.R. § 164.524(b).
Besides the financial fine, CHMC should review and revise its guidelines and procedures associated with the HIPAA Right of Access, give the policies to OCR for review, and send the okayed policies to the employees and make sure training is given.
Normally, HIPAA calls for covered entities to provide parents timely access to their young children’s medical information, as long as the parent is the child’s personal representative, explained Acting OCR Director Robinsue Frohboese. OCR’s Right of Access Initiative establishes patients’ and personal representatives’ basic right to their medical information and shows the value of all covered entities’ compliance with this important right.