February 12, 2021
Today the Office for Civil Rights (OCR) is celebrating their Sweet 16 – sixteenth HIPAA Right of Access fine, to be exact. Instead of party hats and birthday cake, they’re kicking off the festivities with a hefty settlement and second HIPAA fine this week.
The not so lucky guest of honor is Sharp HealthCare, d.b.a. Sharp Rees-Stealy Medical Centers (“SRMC”), a health care provider based out of California. SRMC was gifted with a $70,000 fine along with a 2-year corrective action plan for violating HIPAA right of access requirements.
The ‘party’ began back in June of 2019 after the OCR received a complaint stating that SRMC failed to respond when a patient requested an electronic copy of their protected health information (PHI) be sent to a third party (sound familiar?).
The ‘party’ didn’t stop there, when even after providing technical assistance the OCR received a second complaint just two months later alleging that SRMC had still yet to provide the requested access. It wasn’t until after the OCR investigated further that SRMC finally fulfilled the patient’s request.
Not only did today’s announcement take the cake (party pun intended) for the second fine released just this week, but the details of the most recent settlements are so similar we feel like we’re seeing double. Both fines were a result of patient right of access violations, and more specifically for the failure to provide an electronic copy of health records to a third party.
So the lesson to be learned? Ensure your practice is providing access in a timely manner and in the way it was requested. Acting OCR Director, Robinsue Frohboese emphasized the government’s continued focus in today’s press release, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.”
After a historic year in HIPAA enforcement, four HIPAA settlements in the first two months of 2021 should come as no shock. If crashing the HIPAA violation party isn’t something you’re keen on (we’re not the life of the party ourselves, but even we don’t think that would be too much fun) then having the right policies and procedures in place along with the proper employee training on how to respond to record requests is key.