Not-for-profit Nevada health system Renown Health, P.C., has agreed to pay $75,000 to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to settle a potential violation of the HIPAA Privacy Rule right of access provision. The settlement is a product of HHS’ Right of Access Initiative. Under this initiative, OCR established cracking down on providers who fail to grant timely patient access to medical records as a top priority. Renown Health is the 15th provider in a seventeen-month span to have been fined under this initiative. The details of this HIPAA right of access fine are discussed below.
Untimely Access to Medical Records
In February of 2019, OCR received a complaint alleging that Renown Health failed to respond to a request for Renown medical records under the HIPAA right of access provision. Renown had been asked by a patient in January to provide a third party with an electronic copy of her PHI, including billing records. Upon investigation, OCR determined that the failure to provide timely access may have violated the right of access standard. Renown finally provided the requested access in December of 2019 – after the investigation had concluded.
HIPAA Right of Access Initiative: The Settlement
To settle the potential Privacy Rule violation, Renown settled with OCR for $75,000. As part of the settlement, Renown has agreed to a two-year corrective action plan (CAP). Renown is required to take the following actions under the CAP:
- Renown must develop, maintain, and/or revise, as necessary, its written access policies and procedures to comply with the HIPAA Privacy Rule. The policies and procedures must address Renown’s failure to provide timely access to medical records, by describing Renown’s obligations under the right of access provision. The procedures must ensure comprehensive and timely responses to access requests to PHI. The policies and procedures must also outline protocols for training all workforce members involved in receiving or fulfilling access requests.
- Renown must provide the policies and procedures to HHS for approval.
- If HHS recommends any changes to the policies and procedures, Renown must make revisions within 30 days of the recommendations. The revision process will continue until HHS approves the policies and procedures in full.
In a press release accompanying the settlement announcement, Acting OCR Director Robinsue Frobhoese, who has replaced former Director Roger Severino, stated: “Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis.”
