October 7, 2020
The Office for Civil Rights (OCR) has officially kept their foot on the gas heading into October, announcing their 8th HIPAA right of access fine and adding to a string of nine total HIPAA fines announced since September 15th. Five of those recent fines also centered on providing patients appropriate access to their records, an initiative the OCR pledged to enforce in 2019.
The latest practice left in the OCR’s dust is St. Joseph’s Hospital and Medical Center (SJHMC), an acute care hospital with several hospital-based clinics providing a variety of health services out of Phoenix, Arizona. SJHMC was slapped with a $160,000 fine, along with a 2-year corrective action plan to settle their potential HIPAA violation.
Continuing the patient right of access violation trend, SJHMC failed to provide patient records requested by a patient’s personal representative within any sort of a reasonable timeframe, and certainly not within HIPAA-mandated and state-specific deadlines. OCR involvement began in April 2018, when a complaint was received from an SJHMC patient’s mother stating that since January of 2018 she made various requests for a copy of her son’s medical records that SJHMC had failed to fulfill.
While the hospital provided partial records, they failed to produce the full records requested despite follow-ups made by the mother in March, April, and May of 2018. The records were only provided a long 22 months later, in December 2019, after the OCR got involved to investigate the complaint. The deadline to provide patient records after a request in Arizona is 30 days.
If you haven’t realized the enforcement trend yet, the OCR made it pretty clear in their statement announcing the fine. “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously,” OCR Director Roger Severino stated, “OCR has many rights of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.”
Not only did OCR Director Roger Severino call out practices who aren’t actively focusing on their HIPAA compliance program, he emphasized that there is more to come related to patient right of access. This fine, along with the many others announced in recent weeks, emphasizes just how important a HIPAA compliance program is and having the right policies in place to fulfill all aspects of HIPAA compliance – including meeting patient’s access requests.