OCR's $80,000 Settlement with Children's Hospital and Medical Center for Potential HIPAA Right of Access Violation
The results were broadcasted when the Office for Civil Rights (OCR) at the U.S. Department
of Health and Human Services completed the twentieth
investigation in its HIPAA Right of Access Initiative. Under the HIPAA Privacy
Rule, OCR supports individuals' right to timely access to health records at a reasonable
cost.
Children's
Hospital & Medical Center (CHMC) must pay an $80,000 fine and take corrective
actions to settle a potential violation of the HIPAA Privacy Rule's right of
access standard. CHMC is located in Omaha, Nebraska, and provides pediatric
health care services.
Why did the $80,000 fine occur?
Simply put, the reason an investigation began was due to an information blocking (IB) complaint. According to a complaint filed with OCR, one parent alleged that CHMC failed to provide timely access to her minor daughter's medical records. Despite the parent's multiple follow-up requests, CHMC did not provide all the requested documents and only offered some of her daughter's medical records instead.
"Generally,
HIPAA requires covered entities to give parents timely access to their minor
children's medical records, when the parent is the child's personal
representative. OCR's Right of Access Initiative supports patients' and
personal representatives' fundamental right to their health information and
underscores the importance of all covered entities' compliance with this
essential right," said Acting OCR Director Robinsue Frohboese.
HIPAA-covered
entities are legally required to take action on an access request within 30
days of receipt (or if an extension is applicable within 60 days). After an
investigation, OCR determined that CHMC's failure to provide timely access to
the requested medical records was a potential violation of the HIPAA right of
access standard. The parent finally received all of the requested records as a
consequence of OCR's investigation.
In
addition to the monetary settlement, CHMC must undergo a corrective action plan, including
one year of monitoring. View a copy of their resolution agreement and
corrective action plan here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/chmc-ra-cap/index.html.
Knowing what is Information Blocking (IB) so you can avoid fines & penalties:
Here are a few of the most common examples of activities considered information blocking that increase a healthcare organization's risk:
- Any policy that requires a patient to provide written consent before sharing information with another healthcare provider for treatment purposes, when it is not required by state or federal law, could be considered IB. Remember, HIPAA does not require written consent or authorization to share information for treatment purposes.
- Having the ability to provide same-day access to a patient or a patient's healthcare provider but taking several days to respond could be considered IB.
- Any action that restricts authorized access for treatment and other permitted uses and disclosures under HIPAA could be considered not only a HIPAA violation but also information blocking.
Other items in the Information Blocking Rule that can be helpful to healthcare providers:
- An electronic health record vendor cannot charge excessive fees to create the interfaces needed to connect with other health information technology, like a health information exchange.
- There cannot be restrictive or unfair contractual limitations on the use and exchange of medical information. For example, an EHR vendor charges an excessive fee to access or transfer medical records after a healthcare provider changes vendors.
It is important to note that healthcare providers are at the highest risk of information blocking when they know their actions would likely interfere, prevent, or materially discourage access, exchange, or use of EHI. Examples are denying access to patients of their own EHI, denying access for treatment purposes, disabling patient portal capabilities, and simply taking too long to provide access.
Learn more directly from the HIPAA Privacy and Security Rules:
- For more information on a wide range of topics about the Privacy and Security Rules, you can call the OCR Privacy toll-free phone line at (866) 627-7748 or visit the OCR Privacy website here: http://www.hhs.gov/ocr/privacy/index.html.
- Educate
yourself about OCR's civil rights authorities and responsibilities here: http://www.hhs.gov/ocr/office/index.html.
How to avoid these unnecessary problems (We've got your back)
Understanding the Information Blocking regulations and the exceptions can be somewhat daunting to apply to your organization's day-to-day operations.
- Healthcare
Compliance Pros understands the importance of all healthcare organizations responsible for complying with HIPAA Privacy and Security Rule
requirements to safeguard the availability, confidentiality, and integrity
of patients' electronic health information.
- We have developed a learning module that further defines activities that can be considered information blocking, the data elements included in USCDI, and the eight exceptions that would not be considered information block under certain conditions.
- Remember that as an HCP client, you have access to compliance experts who can help you navigate through these new requirements.
- If you have questions about a particular activity in your organization and whether it would be considered information blocking or if it would meet an exception, please reach out to your HCP Support Team. Quickly gain access to expert answers to any compliance questions regarding your organization's HIPAA requirements by contacting us by phone (855-427-0427) or email (info@hcp.md).
- Are you not a client yet? The fastest way to get help with meeting your HIPAA requirements is to Schedule a free consultation.