In February of 2021, Sharp HealthCare, doing business as Sharp-Rees Stealy Medical Centers (SRMC), paid $70,000 to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to settle a potential violation of the HIPAA Privacy Rule right of access standard. The Sharp settlement has become OCR’s sixteenth settlement under OCR’s right of access initiative. Under this initiative that began in 2019, OCR continues to crack down on providers who do not timely respond to patient requests for Sharp medical records.
Sharp HealthCare Pays $70,000 to Settle Potential Right of Access Violation
Under the HIPAA Privacy Rule, a right of access violation occurs when a provider fails to timely respond to a patient request to access, inspect, or copy their medical records. In April of 2019, an SRMC patient made a request for electronic access to their medical records.Â
On June 11, the patient, through a representative, filed a complaint with OCR, alleging that SRMC had failed to provide the requested access. OCR closed its resulting investigation two weeks later, by providing SRMC with technical assistance.Â
OCR provided the technical assistance to stress the importance of a timely response to a request for access. Despite having received the assistance, SRMC did not provide the patient with access to the requested records until mid-October, as a result of SRMC’s second investigation.
OCR concluded its second investigation by finding that SRMC failed to timely respond to the request to have an electronic copy of PHI in an electronic health record (EHR) sent to a third-party recipient.Â
OCR then proposed to fine SRMC for the potential access violation. In lieu of subjecting itself to a civil monetary penalty (CMP), SRMC agreed to settle the potential access violation for $70,000. In the settlement agreement SRMC reached with OCR, SRMC also agreed to undertake a corrective action plan (CAP), which will include two years of compliance monitoring by OCR.
As part of the CAP, SRMC is required to develop right of access standard policies and procedures, and submit these to OCR for approval. These policies and procedures must, among other things, contain:
- An accurate definition of a “Designated Record Set” as defined in the Privacy Rule; and
- Protocols for training all SRMC’s workforce members that are involved in receiving or fulfilling access requests – as necessary and appropriate to ensure compliance with the policies and procedures.
In announcing this latest right of access settlement, Acting OCR Director Robinsue Frohboese noted that “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.” And enforced it, OCR has. This settlement, the sixteenth under the right of access initiative, comes a mere two days after the fifteenth was announced.Â
