September 10, 2021 There might not be such thing as time travel but with the latest HIPAA settlement announcement, it’s looking like the Office for Civil Rights (OCR) has traveled back to their own version of the Roaring ‘20s. Two years, and now twenty resolutions later, the government initiative to support individuals’ right to timely record access has driven its own little economic boom – with the 20th financial penalty bringing the right of access running total to $1,173,500. Children’s Hospital & Medical Center (CHMC) became the most recent healthcare organization to settle with the OCR, with a fine of $80,000 and requirement to adopt a corrective action plan that involves one year of government monitoring. But while the Nebraska-based pediatric provider probably isn’t too jazzed about the repercussions, the penalty comes as a result of an equally unhappy individual who was not provided the proper access that HIPAA strives to ensure. The issue was brought to the OCR’s attention back in May of 2020 after a parent filed a complaint alleging that CHMC failed to provide full access to her late daughter’s medical records. The complaint stated that while the organization fulfilled a portion of the request, CHMC failed to provide all of the requested records despite the parent’s several follow-up requests. The delay was in part due to the remainder of the requested records being needed to obtain from a different CHMC division but it wasn’t until after the OCR’s investigation that full access was provided. In addition to the resolution agreement, Acting OCR Director, Robinsue Frohboese released in a statement, “Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative. OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.” While this settlement shares plenty of similarities with the 19 other examples of noncompliance that we have seen since the enforcement initiative started, it’s important to note the fact that this $80,000 fine was the result of just one patient complaint. And though the Roaring ’20s might’ve been a relatively short-lived era, proposed updates to the HIPAA Privacy Rule and expansions to the OCR budget are enough to predict that the right of access enforcement initiative isn’t going anywhere, anytime soon. So with the latest settlement serving as the perfect example of just how much damage a single HIPAA complaint can have on a healthcare organization – ensuring you’re fulfilling all medical record requests in a timely and HIPAA-compliant manner is essential to avoid becoming lucky settlement number 21.
