Children’s Hospital & Medical Center (CHMC) is the latest healthcare organization to have possibly violated the HIPAA right of access requirements resulting in a settlement, according to an announcement by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS).  OCR’s announcement marks the twentieth settlement related to violations of HIPAA access rights achieved since the start of its Right of Access Initiative.

The HIPAA right of access standard can be found at 45 CFR §164.524, and generally provides that a HIPAA covered entity must provide individuals, upon request, with access to protected health information (PHI) about the individual maintained by the covered entity in one or more designated record sets.  An individual’s personal representative (which would be any person with authority under state law to make health care decisions for the individual, like the parent of a minor), also has the right to access an individual’s PHI, upon request, consistent with the scope of such representation (see 45 CFR §164.502(g)).  The access requirements generally do not apply to (1) information not considered “designated record sets,” as defined by 45 C.F.R. § 164.501, (2) psychotherapy notes, and (3) records created in reasonable anticipation of or for a civil, criminal, or administrative action. 45 C.F.R. § 164.524.  

CG attorneys have noted in previous blog posts that OCR’s enforcement efforts and related monetary settlements have been broad and wide-reaching, affecting covered entities of all sizes and related various areas of the law.  The nineteenth settlement arose from a patient complaint filed in August 2019, alleging that a West Virginia provider failed to provide a copy of a minor child’s records to the child’s parent.  And OCR’s most recent announcement related to it its settlement with CHMC involves a similar allegation. 

OCR’s settlement with CHMC stems from a complaint filed in May 2020 by a parent who alleged that CHMC did not provide her with timely access to her deceased minor daughter’s complete medical record.  The parent, who was her minor daughter’s personal representative, submitted a written request to CHMC for access to her late daughter’s records in January 2020.  CHMC provided the parent with a portion of the requested records but the remainder of records needed to be collected from another division of CHMC, according to the resolution agreement.  The parent contacted CHMC several times regarding the request and the remaining records.  According to OCR, the remaining records were provided to the parent because of its investigation and were received by the parent in June 2016 and July 2020, six and seven months after the initial request. OCR’s investigation concluded that CHMC may have violated HIPAA right of access requirements by failing to provide access to PHI in a timely manner.  As part of the settlement agreement, CHMC agreed to pay HHS $80,000 and agreed to comply with a Corrective Action Plan (CAP) that will end one year from the effective date.  

Covered entities should note these key takeaways from CHMC’s settlement.

  1. This is the second settlement in 2021 involving a personal representative’s access to a patient’s records – particularly, a parent’s access to a minor child’s records.  Covered entities should ensure training includes the role of personal representatives. 
  2. Do not underestimate a frustrated patient’s resolve, especially a parent.  While patients and personal representatives do not have a private right of action under HIPAA, they can and will file complaints with OCR, which is easily done by mail or online via the OCR Complaint Portal.  Note that anyone can file a complaint – not just the aggrieved party.
  3. Covered entities should not expect OCR to automatically grant second chances.  In many of the HIPAA Right of Access Initiative settlements, OCR initially provides technical assistance and does not initiate a formal investigation until there is a second complaint against the covered entity related to that technical assistance.  However, there have been several HIPAA Right of Access Initiative enforcement actions – including the majority of recent settlements – that settle without OCR providing prior technical assistance or after a second complaint.
  4. Partial compliance is not compliance and can cause OCR to take action.  Covered entities should ensure full compliance with HIPAA access rules.  Covered entities should also review their process for medical record access and remove encumbrances or hurdles, like the need to collect different parts of the medical record from different divisions.

Covered entities should ensure familiarity and compliance with HIPAA requirements, including the right to access protected health information by a patient or a personal representative (45 CFR §164.502(g)).  These rights under HIPAA to access protected health information are at 45 C.F.R. § 165.524 and there is HHS guidance on the topic.  As noted by Acting OCR Director Robinsue Frohboese, “OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”

The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with HIPAA-related matters, including breach response, breach notification, OCR investigations, and resulting civil litigation.  If you need assistance with such a matter, please contact us today.