The HIPAA Right of Access Initiative has claimed another victim. In September 2019, the HHS’ OCR announced that it would be prioritizing enforcement efforts surrounding the HIPAA Right of Access. Since this announcement, the OCR has issued twelve right of access fines, several of them over the past few months. The latest fine is discussed below.
HIPAA Right of Access Initiative Fines University of Cincinnati Medical Center
In May 2019, a patient issued a complaint to the Office for Civil Rights (OCR) claiming that the University of Cincinnati Medical Center (UCMC) failed to provide her with requested medical records. The patient initially requested electronic copies of her records from UCMC on February 22, 2019, asking UCMC to send the records directly to her lawyers.
Under the HIPAA Right of Access Initiative, UCMC has agreed to pay a $65,000 HIPAA fine, adopt a corrective action plan, and is subject to two years of OCR monitoring.
“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director.
What is the HIPAA Right of Access?
The HIPAA Right of Access requires healthcare organizations to provide patients access to requested records within 30 days of the request. The records must be provided in the format that is requested, as long as it is reasonably possible to do so. When not possible to provide records in the requested format, an alternate format is permitted. The HIPAA Right of Access also states that providers can only charge a reasonable cost-based fee for record access, for instance, a provider can charge a patient for paper or a CD used to provide the records, but cannot charge for time spent gathering the records.
