Deadline Approaching: Have You Conducted Your Security Risk Analysis for 2022? Our Team is Here To Help! Click Here to Learn More!

OCR’s $80,000 Settlement with Children’s Hospital and Medical Center for Potential HIPAA Right of Access Violation

OCR's $80,000 Settlement with Children's Hospital and Medical Center for Potential HIPAA Right of Access Violation

The results were broadcasted when the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services completed the twentieth investigation in its HIPAA Right of Access Initiative. Under the HIPAA Privacy Rule, OCR supports individuals' right to timely access to health records at a reasonable cost.

Children's Hospital & Medical Center (CHMC) must pay an $80,000 fine and take corrective actions to settle a potential violation of the HIPAA Privacy Rule's right of access standard. CHMC is located in Omaha, Nebraska, and provides pediatric health care services.

Why did the $80,000 fine occur?

OCR HHS Expensive Settlements

Simply put, the reason an investigation began was due to an information blocking (IB) complaint. According to a complaint filed with OCR, one parent alleged that CHMC failed to provide timely access to her minor daughter's medical records. Despite the parent's multiple follow-up requests, CHMC did not provide all the requested documents and only offered some of her daughter's medical records instead.

"Generally, HIPAA requires covered entities to give parents timely access to their minor children's medical records, when the parent is the child's personal representative. OCR's Right of Access Initiative supports patients' and personal representatives' fundamental right to their health information and underscores the importance of all covered entities' compliance with this essential right," said Acting OCR Director Robinsue Frohboese.

HIPAA-covered entities are legally required to take action on an access request within 30 days of receipt (or if an extension is applicable within 60 days). After an investigation, OCR determined that CHMC's failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard. The parent finally received all of the requested records as a consequence of OCR's investigation.

In addition to the monetary settlement, CHMC must undergo a corrective action plan, including one year of monitoring. View a copy of their resolution agreement and corrective action plan here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/chmc-ra-cap/index.html.

Knowing what is Information Blocking (IB) so you can avoid fines & penalties:

"Information Blocking" represents unnecessary activities that will result in fines & penalties
Two primary reasons you want to know how to avoid information blocking activities. First, on an altruistic level, health care entities can help their patients stay in the loop about their personal situation by offering the quickest access to their own health information when requested (that info is your patient's data too). Second, on a protective level, one complaint is all it takes for the OCR to put a spotlight and begin an investigation. The amount of complaints is irrelevant because one complaint is considered too many for the OCR. Understanding what is information blocking can help you to mitigate your organization's risk and prevent these activities from wasting away your budget.


Here are a few of the most common examples of activities considered information blocking that increase a healthcare organization's risk:

  • Any policy that requires a patient to provide written consent before sharing information with another healthcare provider for treatment purposes, when it is not required by state or federal law, could be considered IB. Remember, HIPAA does not require written consent or authorization to share information for treatment purposes.
  • Having the ability to provide same-day access to a patient or a patient's healthcare provider but taking several days to respond could be considered IB.
  • Any action that restricts authorized access for treatment and other permitted uses and disclosures under HIPAA could be considered not only a HIPAA violation but also information blocking.

Other items in the Information Blocking Rule that can be helpful to healthcare providers:

  • An electronic health record vendor cannot charge excessive fees to create the interfaces needed to connect with other health information technology, like a health information exchange.
  • There cannot be restrictive or unfair contractual limitations on the use and exchange of medical information. For example, an EHR vendor charges an excessive fee to access or transfer medical records after a healthcare provider changes vendors.

It is important to note that healthcare providers are at the highest risk of information blocking when they know their actions would likely interfere, prevent, or materially discourage access, exchange, or use of EHI. Examples are denying access to patients of their own EHI, denying access for treatment purposes, disabling patient portal capabilities, and simply taking too long to provide access.

Learn more directly from the HIPAA Privacy and Security Rules:

How to avoid these unnecessary problems (We've got your back)

Understanding the Information Blocking regulations and the exceptions can be somewhat daunting to apply to your organization's day-to-day operations.

  • Healthcare Compliance Pros understands the importance of all healthcare organizations responsible for complying with HIPAA Privacy and Security Rule requirements to safeguard the availability, confidentiality, and integrity of patients' electronic health information.
  • We have developed a learning module that further defines activities that can be considered information blocking, the data elements included in USCDI, and the eight exceptions that would not be considered information block under certain conditions.
  • Remember that as an HCP client, you have access to compliance experts who can help you navigate through these new requirements.
  • If you have questions about a particular activity in your organization and whether it would be considered information blocking or if it would meet an exception, please reach out to your HCP Support Team. Quickly gain access to expert answers to any compliance questions regarding your organization's HIPAA requirements by contacting us by phone (855-427-0427) or email (info@hcp.md).
  • Are you not a client yet? The fastest way to get help with meeting your HIPAA requirements is to Schedule a free consultation.