On September 10, 2021, the Department of Health and Human Services Office for Civil Rights (OCR) announced the issuance of another right of access fine. The OCR HIPAA investigation led to the twentieth right of access fine issued since the 2019 right of access enforcement initiative was announced.
Children’s Hospital & Medical Center OCR HIPAA Investigation
In May 2020, the OCR received a complaint against Children’s Hospital & Medical Center (CHMC) after they failed to provide a parent with their minor child’s medical records. Although the parent made several requests for their child’s records, CHMC failed to provide all of the records requested, instead only partially complying with the request. After CHMC failed to meet the parent’s request after multiple follow-up requests, the parent filed a complaint with the OCR.
An OCR HIPAA investigation was launched to investigate the complaint, determining that CHMC failed to meet right of access requirements, mainly, failing to provide requested records within thirty days of the request, and not providing the full requested records. To settle potential HIPAA violations, CHMC agreed to pay an $80,000 fine, and undertake a corrective action plan, including one year of OCR monitoring.
“Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative. OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right,” said Acting OCR Director Robinsue Frohboese.
To read the full resolution agreement, please click here.
What is the HIPAA Right of Access?
The HIPAA right of access standard requires healthcare organizations to meet a patient’s request to receive a copy of their medical records. These records must be provided to the patient, or their personal representative, within thirty days of the request (or within 60 days if an extension is applicable). Records must also be provided in the format the patient requests them in when it is reasonably appropriate to do so, and places limitations on the cost that can be charged for providing the records.
Under this standard, healthcare organizations must provide patients with access to all protected health information contained in their “designated record set.” There are two categories of information, however, that are expressly excluded from the right of access:
- Psychotherapy notes of a mental healthcare provider documenting or analyzing the contents of a counseling session. These notes are maintained separate from the rest of the patient’s medical record.
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
