The HHS’ Office for Civil Rights and The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) reached a settlement of a probable HIPAA Right of Access violation. This is the 8th financial penalty issued by OCR in 2021 for settling violations of HIPAA Rules. It is additionally the 19th settlement related to OCR’s HIPAA Right of Access enforcement project, which commenced at the end of 2019.
Healthcare provider DELC, which is located in West Virginia, specializes in the therapy of endocrine illnesses. Last August 2019, OCR received a complaint concerning DELC’s supposed failure to act promptly on a request by the complainant for a copy of protected health information (PHI). The HIPAA Privacy Rule requires healthcare companies to give a person his/her copy of PHI in a particular file format within 30 days of getting a request.
In this case, the complainant asked for her minor child’s PHI copy and DELC did not provide that information in the expected 30 days. On October 30, 2019, OCR gave DELC advice while investigating its potential noncompliance with the HIPAA Right of Access (45 C.F.R. § 164.524) connected with the alleged refusal to give a patient’s mom the records she requested.
OCR stated that the failure to give the required records constitutes a violation of the HIPAA Right of Access. According to OCR’s inquiry, DELC later provided a copy of the documents asked for by the child’s mom in May 2021, approximately two years after obtaining the preliminary request.
Apart from the financial penalties of $5,000, DELC has agreed to carry out a corrective action plan that involves assessing and upgrading guidelines and processes for delivering a person’s PHI copy and giving privacy training to its workforce about personal PHI access. OCR is going to keep an eye on DELC for 2 years to ensure it complies with the Right of Access terms of the HIPAA Privacy Rules.
A HIPAA-covered entity must never wait until a federal investigation is underway before providing parent access to his/her kid’s healthcare data, explained Acting OCR Director Robinsue Frohboese. The covered entities have the responsibility to give their patients immediate access to their medical records.