Getty Images/EyeEm

$70K OCR Penalty for Sharp Health Over HIPAA Right of Access Failures

Sharp HealthCare’s $70,000 civil monetary penalty with OCR is the sixteenth enforcement action under the HIPAA Right of Access Initiative and the second announced this week.

California-based Sharp HealthCare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), has agreed to a corrective action plan and to pay the Office for Civil Rights a $70,000 civil monetary penalty over two potential violations of the HIPAA right of access standard.

The enforcement action is the sixteenth made under the Right of Access Initiative since its launch in 2019. It’s the sixth reported in the last three months and the second reported in the last week. 

The initiative was established as part of an overall OCR movement to ensure patients’ rights to access their medical records in a timely fashion and in their desired format. While HIPAA empowers patients to be more in control of their care with access to their records, data shows many providers struggle to comply with the HIPAA mandate. 

A recently disclosed HHS audit found the majority of providers are struggling with compliance in this area, and the agency recently proposed changes to the HIPAA rule that would fuel access rights for patients.

For SRMC, the enforcement action stems from two complaints filed with OCR over allegations of failing to provide records access. 

The first complaint, filed on June 11, 2019, claimed the medical center failed to provide the complainant's client electronic access to his medical records, as requested in writing two months earlier.

On June 25, OCR closed the case after providing SRMC with technical assistance. However, the same patient filed a second complaint with OCR against SRMC on August 19, 2019, alleging the provider had still not responded to the request for access to his medical records.

SRMC did not provide the patient access to his records until October 15, 2019, more than six months after the initial records request.

The OCR audit into the incident found SRMC failed to timely respond to the patient’s request for an electronic copy of their protected health information to be sent to a third-party.

"Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right," Acting OCR Director Robinsue Frohboese, said in a statement.

In addition to the monetary penalty, SRMC has entered into a corrective action plan that includes two years of monitoring by OCR. Under the CAP, SRMC is required to develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy Rule in regards to the privacy of PHI and patient access rights.

At a minimum, the policies must include training protocols and all obligations for patient access as required under the regulation, including an accurate definition of a “designated record set” as established by HIPAA.

All workforce members whose job duties relate to receiving, reviewing, processing, or fulfilling individual requests for access to health records must receive training on the new protocols within 60 days of implementation. Employees must certify in writing that they received the training.

In light of the many enforcement actions on patient access rights, all covered entities and their business associates should review previous OCR guidance to ensure they’re in compliance with the rule to avoid similar, costly penalties.

Next Steps

Dig Deeper on HIPAA compliance and regulation