OCR provided the technical assistance to stress the importance of a timely response to a request for access. Despite having received the assistance, SRMC did not provide the patient with access to the requested records until mid-October, as a result of SRMC’s second investigation.
OCR concluded its second investigation by finding that SRMC failed to timely respond to the request to have an electronic copy of PHI in an electronic health record (EHR) sent to a third-party recipient.
OCR then proposed to fine SRMC for the potential access violation. In lieu of subjecting itself to a civil monetary penalty (CMP), SRMC agreed to settle the potential access violation for $70,000. In the settlement agreement SRMC reached with OCR, SRMC also agreed to undertake a corrective action plan (CAP), which will include two years of compliance monitoring by OCR.
As part of the CAP, SRMC is required to develop right of access standard policies and procedures, and submit these to OCR for approval. These policies and procedures must, among other things, contain:
- An accurate definition of a “Designated Record Set” as defined in the Privacy Rule; and
- Protocols for training all SRMC’s workforce members that are involved in receiving or fulfilling access requests – as necessary and appropriate to ensure compliance with the policies and procedures.
In announcing this latest right of access settlement, Acting OCR Director Robinsue Frohboese noted that “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.” And enforced it, OCR has. This settlement, the sixteenth under the right of access initiative, comes a mere two days after the fifteenth was announced.