Are you prepared for the "No Surprises Act" that came into effect Jan 2022 and aims to mitigate surprise billing practices? If not, register for our No Surprises Act Webinar.

OCR’s $80,000 Settlement with Children’s Hospital and Medical Center for Potential HIPAA Right of Access Violation

OCR's $80,000 Settlement with Children's Hospital and Medical Center for Potential HIPAA Right of Access Violation

Friday, September 10, 2021 — The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services broadcast the results of the twentieth investigation in its HIPAA Right of Access Initiative. Under the HIPAA Privacy Rule, OCR supports individuals' right to timely access of health records at a reasonable cost.

Children's Hospital & Medical Center (CHMC) must pay $80,000 and take corrective actions to settle a potential violation of the HIPAA Privacy Rule's right of access standard. CHMC is located in Omaha, Nebraska, and provides pediatric health care services.

Why did the $80,000 fine occur?

OCR HHS Expensive Settlements

According to a complaint filed with OCR in May 2020, one parent alleged that CHMC failed to provide timely access to her minor daughter's medical records. Despite the parent's multiple follow-up requests, CHMC did not provide all the requested documents and only offered some of her daughter's medical records instead.

"Generally, HIPAA requires covered entities to give parents timely access to their minor children's medical records, when the parent is the child's personal representative. OCR's Right of Access Initiative supports patients' and personal representatives' fundamental right to their health information and underscores the importance of all covered entities' compliance with this essential right," said Acting OCR Director Robinsue Frohboese.

HIPAA-covered entities are legally required to take action on an access request within 30 days of receipt (or if an extension is applicable within 60 days). After an investigation, OCR determined that CHMC's failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard. The parent finally received all of the requested records as a consequence of OCR's investigation.

In addition to the monetary settlement, CHMC must undergo a corrective action plan, including one year of monitoring. View a copy of their resolution agreement and corrective action plan here:

Resources about the HIPAA Privacy and Security Rules:

How to avoid these unnecessary problems:

  • Healthcare Compliance Pros understands the importance of all healthcare organizations responsible for complying with HIPAA Privacy and Security Rule requirements to safeguard the availability, confidentiality, and integrity of patients' electronic health information.
  • For expert answers to compliance questions regarding your organization's HIPAA requirements, contact us by phone 855-427-0427 or by email
  • Not a client yet? Schedule a free consultation.