– Arizona-based Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), has agreed to corrective actions and a $160,000 enforcement action with the Office for Civil Rights, to settle a potential violation of the HIPAA Right of Access rule.
The settlement is the eighth and largest made under the OCR HIPAA Right of Access Initiative launched in 2019, which is designed to support the right of patients to have timely access to their health records for a reasonable fee.
OCR announced five settlements under the initiative in September, while the other HIPAA Right of Access enforcements occurred in late 2019 between Korunda Medical and Bayfront Health.
Under HIPAA, HHS has previously noted that “a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual.”
The SJHMC settlement stems from a 2018 patient complaint to OCR. In January 2018, a mother requested a copy of four medical records sets for her son from SJHMC. Four months later, the provider had still failed to provide all of the requested patient information – even after multiple requests.
In response, OCR launched an investigation and determined the lack of action from SJHMC was a potential violation of the HIPAA Right of Access standard. As a result of the investigation, SJHMC finally provided the mother with all of the requested data more than 22 months after the initial request in December 2019.
“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when healthcare providers don’t take their HIPAA obligations seriously,” OCR Director Roger Severino, said in a statement.
“OCR has many right of access investigations open across the country and will continue to vigorously enforce this right to better empower patients,” he added.
In addition to the monetary penalty, SJHMC will also implement a corrective action plan, which will include two years of monitoring. The provider is required to develop, maintain and revise, as necessary, written policies and procedures for the privacy standards of individually identifiable health information.
Those elements must include a review and update to its necessary policy for designated record sets contained in the provider’s Right of Access rules for protected health information “to ensure comprehensive responses to requests for records.”
SJHMC must also develop training protocols for its workforce and business associates involved in handling access requests to ensure compliance with policies and procedures, as well as apply the appropriate sanctions against workforce members who fail to comply with access rules.
The provider must also implement a process for the review of the performance of business associates related to access requests and their responses and “terminating relationships with business associates who fail to permit SJHMC to comply with policies and procedures.”
All SJHMC workforce members must also receive training on these policies and procedures, at least on a yearly basis.
Despite the HIPAA Right of Access rule, Ciitizen has repeatedly found that many providers are still failing to comply. The latest Patient Record Scorecard found significant improvement from its initial reports, which determined the majority of providers fail to comply with the rule.
Ciitizen researchers attributed the improvement to the OCR Right of Access Initiative and “the positive influence of vendors (often called “release of information” or ROI vendors) who help their provider clients comply with HIPAA Right of Access obligations and who often take steps to make sure patients seeking their health information have a smooth pathway for obtaining these records.”