Faced with being issued a civil monetary penalty (CMP) for noncompliance with the right of access standard, Arbour agreed to settle with OCR for $65,000. Arbour also agreed to submit to a corrective action plan. The terms of the settlement can be found here.
Under the terms of the corrective action plan, Arbour must develop and implement the following:
- A “Right of Access to PHI” policy to ensure comprehensive and timely responses to requests for records.
- Protocols for training all Arbour’s workforce members and business associates that are involved in receiving or fulfilling access requests, as necessary and appropriate to ensure compliance with the “Right of Access to PHI” policy.
- A sanctions policy, to be applied against Arbour workforce members who fail to comply with the “Right of Access to PHI” policy.
- A process for reviewing business associate performance with regard to access requests and responses, and for terminating relationships with business associates who fail to permit Arbour to comply with the “Right of Access to PHI” policy.
In addition, Arbour must designate one or more individuals, who are to ensure that Arbour’s business associate agreements with business associates involved in Arbour’s right of access responsibilities, are properly executed.
“Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed