Home Health & Hospice Week

Hint: This might be the first right to access case, but it won’t be the last.

With so many new requirements being thrown at you, it’s easy to let something like furnishing patients with their own records fall through the cracks. A newly announced settlement shows why you should hold yourself accountable in this area.

On Sept. 9, the HHS Office for Civil Rights announced that Bayfront Health-St. Petersburg agreed to pay OCR $85,000 to settle a HIPAA violation related to a patient’s right to access medical records, an OCR release says. The Florida-based medical center also committed to a one-year corrective action plan (CAP) to remedy its issue.

This is OCR’s first enforcement since launching its “Right of Access Initiative” earlier this year. The agency promises “to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged,” the release reiterates.

Late Isn’t Better Than Never

According to OCR, Bayfront didn’t comply and failed to give a pregnant mother records concerning her unborn child in a timely manner. The mother issued a complaint to the OCR, which precipitated an investigation by the agency. Bayfront did not get the mother the records until nine months after the initial request.

Reminder: HIPAA requires covered entities (CEs) to provide their patients with their protected health information (PHI) within 30 days of a request. In addition, a nominal fee for the medical records is allowed, but it must be reasonable.

This case also follows the rule that parents are granted access to the PHI of their minor children as well — including unborn children.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” OCR director Roger Severino says in a statement. “We aim to hold the healthcare industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

This settlement comes on the heels of a plethora of policy proposals from the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services to circumvent information blocking, boost data sharing, and improve interoper­ability. The proposed rules have not been finalized yet, but are expected in the coming months.

“While historically patient access complaints have not generally invoked the fines and penalties that other types of HIPAA compliance issues have, that pattern is changing,” warn attorneys Stephane P. Fabus and Mark J. Swearingen of national firm Hall Render in online analysis in the Health Law News blog. “Fines and penalties will likely become a more common-place tool for enforcing compliance with the patient access requirements. OCR is now requesting information regarding a covered entity’s financial status as part of its standard investigation into access complaints.”

Note: Review the HIPAA rules on patients’ rights to access their PHI at www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#newlyreleasedfaqs.