Doctor on telehealth visit with patient

A Pittsfield, MA-based has paid $55,000 to settle an alleged HIPAA violation related to a patient’s ability to access his or her records.

Hillcrest Nursing and Rehabilitation, doing business as Hillcrest Commons, “failed to provide an individual’s personal representative with timely access to her son’s medical records,” the Department of Health and Human Services’ Office for Civil Rights said in announcing the settlement.

In addition to the payment, the agency said Hillcrest had agreed to take corrective action regarding the alleged violation of the Health Insurance Portability and Accountability Act privacy rule’s right of access standard.

A spokeswoman for Hillcrest declined to comment when reached by McKnight’s Long-Term Care News on Wednesday.

HHS launched its Right of Access Initiative in 2019 “to enforce individuals’ rights to access their health information in a quick and easy way. The OCR announced the resolution of 11 recent investigations in July, but they were noted in a compliance round-up this week by Philadelphia-based law firm Saul Ewing Arnstein & Lehr LLP.

Hillcrest is the only nursing home among the group. It was unclear Wednesday whether others had previously reached settlements under the access initiative.

A total of 38 healthcare entities have so far settled related infractions. OCR created the initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

“It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records,” OCR Director Lisa J. Pino said last month.

According to Attorney David Barmak, CEO of compliance firm Med-Net Concepts, skilled nursing providers can avoid running up against the patient record access rule by:

·         Complying with an individual/legal representative’s request for medical record/information no later than 30 days after receipt of the request. If up to a 30-day extension is needed, provide timely written notification to the individual/legal representative. 

·         Reviewing policies and procedures and modify those that unreasonably delay or prohibit access to the medical record/information.

·         Assigning and training staff who are responsible for following these policies and procedures.

·         Ensuring that the person requesting access is entitled to the medical record/information.

·         Knowing state law.

Under HIPAA, people and entities have the right to see and get copies of their health information from their healthcare providers and health plans. After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner.

The Right of Access Initiative remains one of the most active areas of HIPAA enforcement, according to a prominent legal observer. In its most recent Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, OCR noted that right of access was the third most common among complaints resolved.