Bayfront Health St. Petersburg, in Florida, has paid $85,000 to settle a government complaint that it failed to give a mother timely access to records about her unborn child.
The hospital also adopted a corrective action plan to ensure that all patients have access to their records in the future. This is the first enforcement action and settlement under the Right of Access Initiative of the US Department of Health and Human Services’ Office for Civil Rights (OCR), according to a news release.
OCR, which enforces the Health Insurance Portability and Accountability Act (HIPAA), initiated its investigation on the basis of a complaint from the mother. As a result, the news release said, Bayfront provided her with the requested health information more than 9 months after her initial request.
The resolution agreement between the OCR and Bayfront states that the mother first submitted a written request to the hospital for fetal heart monitor records on October 18, 2017. Bayfront told her that the records could not be found. Early in 2018, the complainant’s attorney requested the records again.
“Bayfront provided a complete response to Complainant’s counsel on August 23, 2018, after providing an incomplete set of the records in March 2018,” the settlement document said. “Complainant’s counsel shared the records with her and, as a result of OCR’s investigation, on February 7, 2019, Bayfront provided Complainant with the fetal heart monitor records directly.”
OCR pointed out that the long delay in providing the records is a potential violation of the HIPAA, “which generally requires covered health providers to provide medical records within 30 days of the request.” This right extends to medical information about minor children as well as prenatal records, the office said.
“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino in the press release. “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”
In an interview with Medscape Medical News, Bayfront spokesman David Larrick attributed the delay in giving the mother the records she requested to “clerical errors.” He declined to explain why it took so long to provide the records.
Under the corrective action plan in the agreement, Bayfront must revise its written access policies and procedures to conform with HIPAA privacy requirements. The hospital also must show the OCR that has it trained its workforce in these new policies, and it is required to sanction staff members who violate them.
New Direction for OCR
Most of the settlements that OCR has entered up to now have been related to HIPAA security and privacy violations. For example, this year a Tennessee diagnostic medical imaging services company paid $3 million to settle its liability in a breach that exposed the protected health information of more than 300,000 patients. In 2018, the OCR netted $28.7 million from 10 settlements and a summary judgement, all of which concerned data breaches.
The $85,000 penalty levied on Bayfront is a slap on the wrist for the 480-bed hospital. But it is the first time that the OCR has imposed any fine on a healthcare provider for this kind of HIPAA violation, Margaret Davino, a HIPAA expert and a partner in the New York law firm Fox Rothschild LLP, told Medscape Medical News.
“Most of the time, hospitals comply with data requests in a fairly timely fashion,” noted Davino. So the 9 months it took Bayfront to comply may have drawn the OCR’s attention, she said.
In addition, she observed, the Bayfront settlement “may be a reminder to the industry that this is something they have to pay attention to…. Nobody wants to have an OCR investigation. If OCR comes in, they may not limit their investigation to one matter.”
When asked whether physician practices should be on their guard against staff members who withhold records from patients, Davino answered, “Absolutely, they should. The OCR right-of-access initiative applies to any HIPAA-covered entity, including physician practices. Physician practices are probably at greater risk than hospitals, because hospitals typically have staff that deal with records requests. Independent practices are much more sparsely staffed and may not respond in as timely a fashion.”