OCR Announces HIPAA Settlement for Failure to Respond to Participant Requests

On September 9, 2019, the HHS’s Office for Civil Rights (OCR) announced an enforcement action and settlement resolving an investigation of Bayfront Health St. Petersburg (Bayfront). Bayfront is a Level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians. As a result of the settlement, Bayfront paid $85,000 to OCR and adopted a corrective action plan to settle a potential violation of the right of access provision of the HIPAA rules.

As background, the OCR began an investigation when a mother filed a complaint alleging that Bayfront provided personal health information relating to her unborn child to her more than nine months after her request. HIPAA generally requires that health care providers provide personal health information relating to the requestor within 30 days of the request. The right of access to these records extends to parents of minor children, such as an unborn child.

In addition to the $85,000 paid pursuant to the settlement, the resolution agreement requires Bayfront to comply with a corrective action plan that requires them to develop, maintain, and revise, as necessary, written access policies and procedures that comply with federal standards that govern the privacy of individually identifiable health information. Those policies must be reviewed by OCR and, upon approval, distributed to Bayfront employees and business associates. Bayfront must also revise its training materials and, subject to approval by OCR, train its employees and business associates on its policies and procedures regarding federal standards that govern the privacy of individually identifiable health information. Bayfront is obliged to report to OCR any information regarding an employee or business associate that may have failed to comply with those policies and procedures and to submit reports of its progress to OCR.

In summary, this investigation and resolution agreement provides employers with a great example of conduct that violates the right of access provision of the HIPAA privacy and security rules. Although this settlement relates to a health care provider, employers that sponsor group health plans (particularly those with self-insured plans), should provide plan participants, upon request, with their health information, and do so in a timely manner.

Press Release »
Resolution Agreement »