The Department of Health and Human Services’ Office for Civil Rights (OCR) is going ahead with its program to end non-compliance with the HIPAA Right of Access. OCR revealed its fifteenth settlement deal that dealt with a HIPAA Right of Access enforcement action.
Renown Health, a non-profit healthcare network in Northern Nevada, consented to pay $75,000 as a financial penalty for its HIPAA case with OCR to be able to resolve its potential violation of the HIPAA Right of Access.
OCR began investigating Renown Health after a patient reported a complaint because she did not receive a digital copy of her protected health information (PHI). In January 2019, the patient placed her request to Renown Health with an instruction to give her medical and billing data to her attorney. No record was received after waiting for more than a month. Therefore, the patient submitted her complaint to OCR. Renown Health provided the required information only on December 27, 2019, approximately one year after filing the initial request.
As per the HIPAA Privacy Rule (45 C.F.R. § 164.524), healthcare records should be delivered to the asking party within 30 days of filing the request. OCR determined that Renown Health violated the Privacy Rule for waiting too long to provide the requested information.
Apart from having to pay the financial penalty, Renown Health is going to carry out a corrective action plan. It is required to create, keep, and update, as necessary, the provider’s written guidelines and procedures making certain that they follow the HIPAA Right of Access. Staff members should undergo training with regards to the guidelines and procedures. A sanctions policy ought to be enacted when workers do not stick to the guidelines and procedures. Renown Health will be supervised by OCR for two years to make sure of the HIPAA Right of Access compliance.
Having access to patient health records is a vital HIPAA right. Medical care companies are accountable to the law to give patients prompt access to their medical records.
The aforementioned settlement is the third announced by OCR in 2021. The first two prior settlements involved Banner Health and Excellus Health Plan. The former paid a $200,000 settlement for violating the HIPAA Right of Access, while the latter paid $5,100,000 as the penalty for multiple HIPAA violations that brought about a data breach in 2015 affecting 9,358,891 records.