Hospital Agrees to $85,000 Fine for Failure to Provide Timely Access to Patient Records Under HIPAA

Hospital Agrees to $85,000 Fine for Failure to Provide Timely Access to Patient Records Under HIPAA

On September 9, 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced its first enforcement action and settlement under its Right of Access Initiative. Earlier in 2019, OCR publicly announced it would enforce the rights of patients to receive timely copies of their medical records and without being overcharged.  

As part of the settlement and without admitting liability, Bayfront Health St. Petersburg ("Bayfront") also adopted a corrective action plan ("CAP").

In August 2018, OCR received a complaint from a Bayfront patient who initially requested her fetal heart monitor records from Bayfront in October 2017. Bayfront had initially replied to the patient that the records could not be located and the patient’s attorney then requested the records from Bayfront on two different occasions. Bayfront ultimately provided the complete records nine days after OCR received the patient’s complaint in August 2018. 

As part of the one-year CAP, Bayfront agreed to each of the following:

  • develop, maintain and revise as necessary its written access policies;
  • distribute the written access policies to members of its workforce and its relevant business associates;    
  • update its Designated Record Set Policy to ensure comprehensive responses to requests for records;
  • report to HHS the names of its business associates who are involved in fulfilling access requests and provide copies of the business associate agreements; and
  • train its workforce and business associates with respect to the written access policies.  

The OCR settlement is an important reminder of the Right of Access Initiative and the financial and operational consequences of the failure to provide patients with timely copies of medical records upon request and to not overcharge for the response. All covered entities should review their policies and processes with respect to abiding by a patient’s rights under HIPAA, provide copies  of their medical records and instruct their business associates to ensure their timely and complete compliance.  

Saul Ewing Arnstein & Lehr attorneys regularly assist covered entities with creating and maintaining their HIPAA privacy policies and work with covered entities and business associates to ensure HIPAA Privacy Rule and Security Rule compliance. 

View Document(s):