Getty Images/iStockphoto

OCR Settles With West Virginia-Based DELC for HIPAA Right of Access Failure

Marking the nineteenth settlement under the HIPAA Right of Access Initiative, West Virginia-based specialist DELC paid OCR a civil monetary penalty and agreed to a corrective action plan.

The Department of Health and Human Services Office for Civil Rights announced it reached a settlement with West Virginia specialist Diabetes, Endocrinology & Lipidology Center (DELC) for $5,000, to resolve a potential violation of the HIPAA Privacy Rule Right of Access standard.

The settlement marks the nineteenth reported under the agency’s HIPAA Right of Access Initiative launched just two years ago.

The DELC settlement stems from an August 2019 complaint made to OCR, alleging the specialist was not in compliance with the HIPAA Rule. The individual claimed DELC refused to provide a mother with access to her son’s protected health information.

OCR notified DELC that it would be investigating the alleged noncompliance on October 30, 2019. The review determined that DELC has failed to provide the mother with timely access to her minor son’s PHI, since July 8, 2019.

The settlement agreement was reached in interest with avoiding the burden, expense, and uncertainty of a prolonged investigation and formal proceedings. The agreement is not an admission or concession of guilt.

“It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records,” said Acting OCR Director Robinsue Frohboese, in a statement.

“Covered entities owe it to their patients to provide timely access to medical records,” she added.

In addition to the $5,000 civil monetary penalty, DELC also agreed to enter into a corrective action plan, which includes two years of monitoring by OCR.

The CAP requires DELC to finally provide the complainant with access to the previously requested records within 15 days, or to send the reason for denying access.

Under the CAP, DELC is required to review and revise its policies and procedures around HIPAA Right of Access to PHI. The assessment must align with HIPAA and identify its methods for calculating costs for the labor to copy requested PHI, supplies, and postage, as well as the preparation of a PHI summary when requested by an individual.

The policies must be sent to HHS for review and implemented within 30 days of approval, before staff is retrained on PHI access requirements.

OCR has made the privacy standard a key enforcement priority during that time, driven by efforts to better support a patient’s right to access their health information. The comment period for the agency’s proposed changes to HIPAA recently closed.

Many of the proposed changes centered around bolstering patient access and data sharing between providers. Under HIPAA, patient access rights are an essential aspect: individuals have a right to review or obtain copies of their own protected health information in a requested format and within a reasonable timeframe.

“The Privacy Rule would require that covered entities grant personal representatives with the right of access on behalf of an individual in an electronic environment, just as they do today with regard to paper-based information,” according to the Privacy Rule.

“Covered entities will want to make sure, however, that they have the capacity to identify, authenticate, and properly respond to requests from these individuals, whether electronically or otherwise, as the Privacy Rule requires,” it adds.

It’s yet to be determined how the proposed changes will be finalized. But both CHIME and the Association for Behavioral Health and Wellness raised several privacy and security concerns, including a 15-day reduction to the amount of time providers have to respond to patient record requests.

Next Steps

Dig Deeper on HIPAA compliance and regulation