Last month (Sept 2019), the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS-OCR) slapped a Florida hospital with an $85,000 fine—among other penalties—because it incorrectly told a maternity patient that the hospital couldn't find her records. When the patient's attorney reached out to the hospital, the hospital was somehow able to locate the records and they were delivered to the patient—some ten months after the initial request had been made. HHS HIPAA rules require requested records to be delivered within 30 days.
The hospital at issue is Bayfront Health St. Petersburg, a Level II trauma and tertiary care center licensed as a 480-bed hospital with about 550 affiliated physicians.
In addition to the substantial monetary penalty, the corrective action plan in this case requires Bayfront to:
- develop, maintain, and revise, as necessary, written access policies and procedures to comply with the HIPAA Privacy Rule;
- distribute approved access policies and procedures to Bayfront workforce members and relevant business associates;
- provide training (using approved materials) to Bayfront members and relevant business associates on receipt and fulfillment of access requests;
- promptly investigate reported failures of Bayfront workforce members or business associates to comply with prescribed access requirements and notify HHS-OCR of confirmed reportable events;
- submit to HHS-OCR an annual report on Bayfront’s compliance with the corrective action plan; and
- retain for inspection and copying all documents and records relating to compliance with the corrective action plan for six (6) years.
"Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law," said OCR Director Roger Severino, in an HHS statement about the fine and related punitive actions. "We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids."
This situation brings up several compliance issues. Had the relevant files been entered into the system? If so, had they been entered properly? If so, how did the initial records search fail? Did an employee say they looked but hadn't? Was that employee looking incorrectly? Had that employee been trained improperly? Or had they been trained properly, but had simply forgotten that training?
Was there insufficient supervision of the employee? That last question is critical. When the employee was preparing a written response that the records weren't found, when hospital policy required those records to be stored, why didn't a supervisor look into why the records weren't there, assuming in fact that they weren't there?
Could it have been a matter of records entry delays because of backlogs? Aside from the supervisor, was anyone in Legal or Compliance notified when a required record wasn't found? If there is a stack of unprocessed medical records requests, hospital management needs to understand that they procrastinate on processing them at their own peril.
This case also speaks to long-term records retention policies, training, supervision, definitions of designated record sets, how such patient requests need to be handled (paper? Electronic? Both?) along with notification of germane departments when requests are made and especially when staff is unable to deliver required documents. Executives also need to note other considerations, such as state laws that grant individuals more expansive rights of access.