Electronic Healthcare Records , Governance & Risk Management , HIPAA/HITECH

Hospital Fined for Slow Records Release

HHS OCR Says Case Is First in New 'Right to Access' Initiative
Hospital Fined for Slow Records Release

Federal regulators have slapped a Florida healthcare provider with an $85,000 HIPAA settlement for failing to provide a mother with timely access to fetal monitoring records.

See Also: OnDemand | Driving Security, Privacy, & Compliance Goals by Accelerating HITRUST Certification

The Department of Health and Human Services’ Office for Civil Rights said its settlement with Bayfront Health St. Petersburg on Monday is the agency’s first enforcement action in its new “HIPAA right of access initiative.”

The agency earlier this year said it would vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged (see: HHS Lowers Some HIPAA Fines).

The enforcement action against Bayfront Health sends an important message, says privacy attorney Kirk Nahra of the law firm WilmerHale.

”This is something that covered entities, mainly doctors and hospitals … really need to get right,” he says. ”While the dollar amount [of the Bayfront settlement] isn’t enormous … this is a critical area for these entities in terms of their reputation.”

Earlier Case

But this is not the first time the agency has taken an enforcement action in a right to access complaint case.

OCR’s very first HIPAA civil monetary penalty case in 2011 revolved around a healthcare provider’s failure to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators.

In that case against Cignet Health of Prince George's County, Maryland, OCR levied a $4.3 million fine. OCR officials later confirmed that they did not collect the fine because Cignet eventually filed for bankruptcy.

New Settlement

Bayfront Health St. Petersburg is a level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians. OCR in a statement says it initiated its investigation based on an August 2018 complaint from the mother alleging that she requested her fetal heart monitor records from Bayfront Health starting in October 2017 and had not received them by the date of her complaint to the agency.

”As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request,” OCR says. The HIPAA rules generally require covered healthcare providers to provide medical records within 30 days of the request, and providers can only charge a reasonable cost-based fee, OCR says.

”This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child,” OCR adds.

Corrective Action Plan

In addition to paying the financial penalty, Bayfront Health has also agreed to a corrective action plan, OCR notes.

A resolution agreement in the case notes that Bayfront Health has agreed to:

  • Develop, maintain and revise its written policies and procedures to comply with the HIPAA Privacy Rule’s right to access regulations;
  • Provide those access policies and procedures to HHS for review within 60 days, then make necessary revisions within 30 days and implement those revised policies and procedures within 30 days;
  • Distribute revised policies and procedures, and request a compliance certification from all appropriate members of the workforce and relevant business associates stating that they have read and will abide by such policies and procedures;
  • Assess, update and revise its patient right to access policies and procedures at least annually or as needed;
  • Review and update as necessary Bayfront’s “designated record set policy” to ensure comprehensive responses to requests for records;
  • Provide training for all Bayfront’s workforce members and business associates who are involved in receiving or fulfilling access requests to ensure compliance with the policies and procedures.

OCR also notes that Bayfront’s corrective action plan includes one year of monitoring by the agency.

“Providing patients with their health information not only lowers costs and leads to better health outcomes - it’s the law,” OCR Director Roger Severino said in the statement. “We aim to hold the healthcare industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

Bayfront Statement

In a statement provided to Information Security Media Group about the case that triggered the settlement, Bayfront Health notes: ”While we responded to the patient’s record requests, clerical errors unfortunately caused a significant delay in fulfilling the entire request for records. Delays in fulfilling requests for access to patient health information do not meet our service standards and we have sincerely apologized to the patient.”

"It is important to ensure that patients can exercise their rights and get their records in a secure way."
—Iliana Peters, Polsinelli

Bayfront Health says it’s committed to timely fulfillment of patient record requests. “Working with our release of information vendor, staff have been re-educated on processes, including escalation procedures when requested documents cannot be located. Our hospital has also added more oversight by health information management staff of records requests and processing to ensure patients receive accurate records in a timely manner.”

An Important Issue

Some privacy and security experts note that providing patients with timely access to records is important for several reasons, including making sure patients are active participants in their health treatment and helping them to guard against records errors or tampering.

“While I think this is not a huge area of noncompliance, it is an important one,” says privacy attorney Iliana Peters of the law firm Polsinelli who’s a former OCR official. “I believe that is why OCR is undertaking this enforcement initiative.”

In terms of patient complaints about accessing their records, “I actually hear most often that individuals want immediate access to their medical records, including through potentially unsecure applications, which is, obviously, not a HIPAA Privacy Rule issue, and could be, in fact, a problem under the HIPAA Security Rule,” she says. “So, as always, it is important to ensure that patients can exercise their rights and get their records in a secure way.”

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.