Natali_Mis/istock via Getty Imag

Renown Health Pays OCR $75K for HIPAA Right of Access Failure

The $75,000 settlement with Renown Health becomes the fifteenth enforcement action brought under the OCR HIPAA Right of Access Initiative since its launch in 2019.

The Office for Civil Rights reached a $75,000 civil monetary penalty and corrective action plan with Nevada-based Renown Health, to settle a potential violation of the HIPAA right of access standard.

The settlement is the fifteenth enforcement discretion brought under the OCR HIPAA Right of Access Initiative since its launch in 2019. The effort is designed to support patients in obtaining timely access to their medical records for a reasonable cost.

OCR launched an investigation into Renown Health in February 2019, after receiving a patient complaint that alleged the provider failed to timely respond to their request for an electronic copy of their protected health information. The patient had requested their records, including billing information, to be sent to a third-party.

However, Renown Health failed to provide all of the requested records to the patient until several months after the requests were made, on December 27, 2019. The subsequent audit confirmed that Renown Health’s failure to provide timely access to the requested records was a potential violation of the HIPAA rule.

“Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis,” said Acting OCR Director Robinsue Frohboese, in a statement.

In addition to the monetary penalty, Renown Health agreed to enter into a corrective action plan, which includes two years of monitoring. 

Under the CAP, the provider is required to develop, maintain, and or revise, as necessary, its written access policies and procedures to comply with the HIPAA Privacy Rule. At a minimum, the policies must cover the right of access standard, training, and sanctions.

All workforce members whose job duties involve receiving, reviewing, processing, or fulfilling individual requests for access requests to protected health information must be trained on the newly developed policies.

Those members may include all managers and supervisors, the health information management staff, the compliance department, the legal team, and risk management staff. Employees will need to sign a form certifying that they’ve received training.

Renown must also revise its notice of privacy practices to reflect the changes, which should convey to the public the steps individuals must take when requesting access to protected health information, including billing records.

In the last year, OCR has drastically increased its efforts to enforce violations of the right of access rule. The effort is reflected in a recent agency proposal to make significant changes to the HIPAA Privacy Rule that would bolster patient access rights to PHI and reduce regulatory burden.

Specifically, the Department of Health and Human Services would replace “the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their ‘professional judgment’ with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual.”

“The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith,” under the proposal.

A recent HHS audit found a range of HIPAA compliance failures across the sector, particularly the right of access standard.

In the meantime, OCR has stressed it will continue to crack down on violations of the rule. In the last three months alone, the agency has settled with five providers under the initiative. The largest, a $200,000 civil monetary penalty, was handed to Banner Health in January.

Next Steps

Dig Deeper on HIPAA compliance and regulation