Clinic office assistant Joan Vest searches for a patient's missing medical file at the Spanish Peaks Family Clinic on Aug. 5, 2009, in Walsenburg, Colo. Nebraska-based pediatric health care provider Children's Hospital & Medical Center agree to pay $80,000 civil monetary penalty and to take correction action to resolve potential HIPAA violations. (Photo by John Moore/Getty Images)

The Department of Health and Human Services Office for Civil Rights announced it reached a settlement with Children's Hospital & Medical Center to resolve potential violations of The Health Insurance Portability and Accountability Act Privacy Rule’s Right of Access standard.

The Nebraska-based pediatric health care provider agreed to pay an $80,000 civil monetary penalty and to undertake a corrective action plan that includes one year of monitoring from OCR. The CHMC settlement is the 20th made under the agency’s Right of Access Initiative, launched in 2019.

The enforcement action stems from a May 2020 complaint filed with OCR. A parent alleged that CHMC failed to provide timely access to her minor daughter’s medical records. The provider responded to an initial request with some of the requested information, but did not fulfill the entire request despite multiple follow-up requests.

In response, OCR launched an investigation on Jan. 3, 2020, and found the failure to provide the parent with timely access to the requested health data was a potential violation of the HIPAA Right of Access standard. The privacy regulation requires a covered entity or business associate to take action on patient access requests within 30 days, or within 60 days if an extension is applicable.

The investigation resulted in the patient receiving all requested records from CHMC on June 20 and July 16, 2020.

"Generally, HIPAA requires covered entities to give parents timely access to their minor children's medical records, when the parent is the child's personal representative,” said Acting OCR Director Robinsue Frohboese.

“OCR's Right of Access Initiative supports patients' and personal representatives' fundamental right to their health information and underscores the importance of all covered entities' compliance with this essential right," she added.

Under the corrective action plan, CHMC is required to review and revise, where necessary, its right of access policies to align and comply with HIPAA requirements and submit them to HHS for review. Upon approval, the policies must be distributed to relevant workforce members, who will then need to be trained.

HHS Right of Access Initiative targets ongoing HIPAA noncompliance

For the last two years, HHS has emphasized the right of patients to gain timely access to their health records as a key compliance priority. HHS has also suggested making changes to the HIPAA rule itself would better support patient access rights and data sharing between providers.

Patient access rights are an essential part of HIPAA, which states that individuals or their representatives have a right to review or obtain copies of their own protected health information in a requested format, within a reasonable timeframe, and for a modest fee.

“Individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf,” according to HHS. 

“The Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual,” it adds.

Despite these clear carve outs, key data from Ciitizen has repeatedly found that the majority of providers fail to comply with HIPAA access rights. The latest data show there are significant improvements being made in the sector on access rights, but there’s still a long way to go.

One crucial stress point is failure to provide medical records within a requested format. Most providers also decline to send information through unsecured email, even when patients acknowledge and accept the risks. Another challenge is adhering to the 30- and 60-day timeframes: even some compliant providers needed calls to supervisors to adhere to the rule.

But all in all, the improvements on access rights stem from “the positive influence of vendors (often called “release of information” or ROI vendors) who help their provider clients comply with HIPAA Right of Access obligations and who often take steps to make sure patients seeking their health information have a smooth pathway for obtaining these records,” according to the Ciitizen report.

Ciitizen also attributes positive changes in awareness and adherence on the OCR Right of Access Initiative, including some major settlements with both small and large providers.