The settlement marks the first enforcement of OCR’s HIPAA Right of Access Initiative announced earlier this year, where officials vowed to strictly enforce the right of patients to receive access to their records in a timely fashion and without being overcharged.
In August, a study from medRxiv showed that more than half of providers fail to comply with the HIPAA provision. Many patients had to make multiple requests to their provider to finally gain access to their information.
For Bayfront Health, a mother made a complaint to OCR after they claimed the Florida provider failed to provide her with timely access to the fetal heart monitor records about her unborn child. The complaint was received on August 14, 2018 and the written access request was first made to Bayfront Health in October 2017.
OCR launched an investigation and Bayfront Health provided the mother with access – nine months after the initial request was made.
Under HIPAA, providers are required to provide patients with their records within 30 days of the request and may only charge patients a reasonable fee. The mandate also applies to parents seeking information about their minor children, “and in this case, a mother who sought prenatal health records about her child.”
“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” OCR Director Roger Severino, said in a statement. “We aim to hold the healthcare industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”
In addition to the monetary penalty, Bayfront Health has also agreed to a corrective action plan, which requires the provider to develop, maintain, and revise, where necessary, its written access policies and procedures to comply with the HIPAA privacy rule.
The new policies must include provisions that ensure comprehensive responses to records’ requests, as well as protocols for training all employees and applicable business associates involved in receiving or fulfilling access requests as necessary and appropriate to ensure compliance.
Appropriate sanctions must be applied to workforce members that fail to comply. Bayfront Health is also required to create a process for reviewing business associate performance around access requests and terminating business associate relationships that don’t comply with the updated policies.
Lastly, Bayfront will need to assign one or more individuals responsible for ensuring business associate agreements involved with access requests are properly executed.
The updated access policies must be provided to HHS within 60 days of the effective date. Bayfront must also distribute the updated rules to its workforce members and relevant business associates within 30 days of HHS’ approval. Any new workforce members will also need to receive the policies within 30 days of beginning their employment.
All workforce members and applicable business associates must sign a written or electronic compliance of the policies. Bayfront is also required to update the policies on a yearly basis.