Pramote Lertnitivanit/istock via

OCR Settles 20th HIPAA Right of Access Case With Nebraska Hospital

Children’s Hospital & Medical Center in Nebraska paid an $80,000 civil monetary penalty to resolve the twentieth case under OCR’s HIPAA Right of Access Initiative.

The HHS Office for Civil Rights (OCR) settled its twentieth case under the HIPAA Right of Access Initiative, marked by an $80,000 civil monetary penalty paid by Nebraska-based Children’s Hospital & Medical Center (CHMC).

CHMC agreed to pay the penalty fee and undertake a corrective action plan due to a potential violation of the HIPAA Privacy Rule’s right of access standard.

A parent filed a complaint with OCR in May 2020, alleging that CHMC had failed to provide timely access to her daughter’s medical records. Despite multiple follow-up requests, the parent only received some of the requested records.

The HIPAA right of access standard requires a covered entity to initiate action within 30 days of receiving a records request. OCR’s investigation resulted in the parent receiving all of the previously requested records.

"Generally, HIPAA requires covered entities to give parents timely access to their minor children's medical records, when the parent is the child's personal representative,” Robinsue Fohboese, acting director of OCR, explained in the press release.

“OCR's Right of Access Initiative supports patients' and personal representatives' fundamental right to their health information and underscores the importance of all covered entities' compliance with this essential right.”

The corrective action plan requires CHMC to revise its policies and procedures to ensure compliance with the HIPAA right of access standard and submit the new policies to HHS for approval. CHMC will also be required to distribute the revised policies to appropriate workforce members and provide training to employees about HIPAA right of access compliance.

OCR launched the HIPAA Right of Access Initiative in 2019 in order to advocate for individuals trying to obtain their health records in a timely manner, as outlined in the HIPAA Privacy Rule. The CHMC case marks the seventh settlement of 2021 under the initiative.

Recent changes to HIPAA right of access policies have left experts questioning the future of HIPAA and third-party data sharing. A proposed modification to the HIPAA Privacy Rule earlier this year would allow individuals to request that providers transmit certain protected health information (PHI) in an electric format to any third party.

A recent op-ed published in The Regulatory Review by Mary Anderlik Majumder suggested that the policy transformations could lead HIPAA in one of two directions.

“One possibility is a learning health system, fueled by patient contributed data and sophisticated data science and governed with an eye to advancing population health and equity while protecting privacy and maintaining trust. Another possibility is health-related corporate surveillance on steroids,” Anderlik wrote.

The policy would give patients more ownership and control over their own records, but it could also result in PHI ending up in the wrong hands. The addition of third-party access may serve as yet another open door to bad actors, despite its intentions.

Next Steps

Dig Deeper on HIPAA compliance and regulation