NP Privacy Partner
Search Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody on Twitter Nixon Peabody on YouTube
Subscribe:Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody's Data Privacy and Cybersecurity blog
Share Print View
OCR keeps its promise to enforce PHI right of access violations

On September 9, 2019, the Department of Health and Human Services, Office for Civil Rights (OCR) issued its first enforcement action under its Right of Access Initiative.  Bayfront Health St. Petersburg, a 480-bed hospital in Florida (“Bayfront”), was fined $85,000 and is subject to a corrective action plan following its failure to provide a mother with timely access to her unborn child’s medical records. 

 

The enforcement action was spurred by the mother’s complaint to OCR, stating that she requested from Bayfront the medical records of her unborn child and had not received them.  OCR’s investigation found that Bayfront failed to provide the mother with access to the requested PHI.  In addition to the financial penalty, Bayfront is required to develop or revise access policies and procedures that comply with the HIPAA requirements and train workforce members and applicable business associates on these policies and procedures.

 

OCR’s Right of Access Initiative, announced earlier this year, is intended to “vigorously enforce” patients’ rights to receive copies of their medical records in a prompt manner without being overcharged for the records.  The right of access is a fundamental patient right under the HIPAA Privacy Rule, and OCR has expressed concern that health care providers were failing to provide timely patient access and were overcharging patients for copies of their records.  Health care providers, and any business associates tasked with assisting with the provision of access to records, must ensure that they are following the requirements of the HIPAA Privacy Rule with respect to the provision of access.  A health care provider must provide patient access within 30 days of a request unless it has a reason to deny the request that is permissible under the Privacy Rule or unless it has a valid reason to extend its response time by no more than 30 days.  The provider is limited to charge only a reasonable, cost-based fee for the records.  Applicable state law may specify precise amounts or place additional limitations on what a provider may charge a patient.

Comments

There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.
 
* indicates a required field

Title


Body *


Date *

Attachments
 

Privacy Policy | Terms of Use and Conditions | Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP
Categories
Sort by AttachmentsParentCategory