Privacy, Governance, Risk and Compliance, Compliance Management

Life Hope Labs pays OCR $16K for HIPAA right of access violation

Medical personnel prepares samples for testing
Life Hope Labs paid $16,500 to DHS to settle a possible violation of HIPAA's right of access standard. (Navy)

The Department of Health and Human Services Office for Civil Rights reached a settlement with Life Hope Labs to resolve a possible violation of the Health Insurance Portability and Accountability Act right of access standard.

The $16,500 civil monetary penalty and agreement to implement a corrective action plan is the third enforcement action announced by OCR in the last month and the second tied to the right of access rule. OCR has reached 43 settlements over possible non-compliance in the last two years under its 2018 right of access initiative.

“Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans,” OCR Director Melanie Fontes Rainer said in a statement.

All covered entities, including labs, are required to adhere to the access standard, providing patients with timely response to access requests from patients.

OCR launched an investigation into Life Hope, after a personal representative of a deceased patient filed a complaint with the agency that claimed the lab failed to provide her with her deceased father’s medical records. The representative made multiple requests for the records in July 2021, but Life Hope did not send the requested records until Feb. 16, 2022.

The investigation determined that Life Hope failed to provide the representative with timely access to the protected health information in a designated record set, in violation of the HIPAA rule.

In addition to the monetary penalty, Life Hope must adhere to a corrective action plan that will involve two years of monitoring for compliance by OCR. The lab is required to develop and maintain written policies and procedures for governing the privacy of individually identifiable health information within 60 days and submit the document to HHS for approval.

The measures must include an accurate definition of a designated record set under HIPAA, a standardized process for responding to patient access requests, and workforce training protocols to address requirements for receiving and fulfilling PHI requests and maintaining patient records.

The policies must also include appropriate sanctions for workforce members who fail to comply with the rule. A large portion of the corrective action plan is focused on employee training and attestation to compliance with the rule by employees.

Upon approval from HHS, Life Hope must provide workforce members tasked with access requests to ensure compliance.

Right of access has been an enforcement priority for OCR in the last two years, with the vast majority of enforcement actions stemming from violations of the right of access rule. The goal is to empower patients with greater control over their health decisions, particularly those with chronic health conditions.

With timely access, patients are more likely to adhere to treatment plans, find and fix possible errors in the record, and track the progress of their health, which HHS has stressed leads to better care outcomes. 

“Putting individuals ‘in the driver's seat’ with respect to their health also is a key component of health reform and the movement to a more patient-centered health care system,” according to HHS.

The latest settlement should remind providers to review access requirements under HIPAA to ensure compliance.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.