On September 9, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had settled its first ever HIPAA enforcement action arising from alleged violations of the individual right to access health information under HIPAA. OCR entered into a settlement with Bayfront Health St. Petersburg (Bayfront) in response to allegations that it failed to provide a mother with timely access to medical records concerning her unborn child. Under the terms of a resolution agreement, Bayfront agreed to pay $85,000, and enter into a one-year corrective action plan (CAP).

OCR initiated an investigation of Bayfront in response to a 2018 patient complaint. According to OCR’s investigation, the patient initially submitted a written request for fetal heart monitor records in October, 2017, and subsequently submitted follow-up requests through counsel in January and February o2018. Bayfront allegedly did not provide a complete set of records to the patient’s counsel until August 2018, and the patient reportedly did not receive the records directly until February 2019. OCR’s investigation thus “indicated that Bayfront failed to provide access” to PHI about the patient in a designated record set, in accordance with 45 C.F.R. § 164.524. Bayfront did not admit liability as part of the resolution agreement.

Under the terms of the CAP, Bayfront is obligated to update its written access policies to comply with HIPAA, and provide HHS access to those policies within 60 days for review and approval. The policies must include provisions addressing HIPAA’s right of access, as well as protocols for training of workforce members and sanctions for non-compliant workforce members. Bayfront will also be obligated to submit an implementation report within 120 days after receiving HHS approval of the policies and procedures, an annual report that includes training materials on the new HIPAA policies and procedures, and attestations of compliance with the CAP’s requirements.

This enforcement action is part of OCR’s new “Right of Access Initiative” that is intended to “vigorously” ensure that patients are able to “receive copies of their medical records promptly and without being overcharged.” Health care providers and other entities subject to HIPAA would therefore be well-advised to review their policies and procedures for providing access to medical records, because potential violations of HIPAA’s right to access are under heightened government scrutiny at this time.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.