January 3, 2023 — Life Hope Labs reached a settlement with the Office for Civil Rights (OCR) as part of the corrective action plan to sort out the Right of Access Case investigation.
According to the settlement agreement, the Georgia-based Life Hope Labs will pay $16,500 after failing to provide their patient with timely and complete access to their protected health information (PHI).
Organizations that fail to follow the HIPAA Privacy Rule’s right of access provisions are subject to corrective action plans and monetary penalties. As with the ruling, Life Hope Labs must comply with federal privacy and access requirements.
HIPAA’s Right of Access case with the CAP-accredited lab marks the 43rd case since OCR launched the HIPAA Right of Access Initiative in 2019. The HHS Office for Civil Rights (OCR) continues to discipline healthcare organizations that withhold medical records from patients.
On top of the monetary penalty, Life Hope Labs must follow the corrective action plan, which the OCR will monitor for two years. Furthermore, the lab must develop a written implementation report within 120 days. After which, they must submit the document for approval.
Table of Contents
Allegations of Right of Access Violation
In August 2021, a patient’s representative filed a complaint with OCR stating that Life Hope Labs denied access to her deceased father’s medical records.
The representative requested access to her father’s records on July 7, 2021, and had to wait over seven months before they were released. The delay clearly demonstrated the lab’s failure to provide patients and their representatives with timely access to their requested information.
Eventually, the situation came to the attention of the Office for Civil Rights (OCR), which ultimately ordered an investigation into the alleged violations following the complaint.
Investigation and findings by the OCR
According to the investigation conducted by the OCR, the patient’s personal representative repeatedly reached out to Life Hope Labs, but the said Georgia Lab provided the requested records on February 16, 2022.
In the announcement, the OCR’s director, Melanie Fontes, said, “Access to medical records, including lab results, empowers patients to manage their health better, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories.”
She added, “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.”
The case findings also showed that Life Hope Labs failed to acknowledge the patient’s right to access his medical records, a clear violation of the HIPAA Privacy Rule.
That said, the Georgia-based lab is liable for the violation and must comply with the penalties associated with the case.
Following the investigation, Life Hope Labs should provide a monetary settlement amounting to $16,500. They must also adhere to the corrective action plan, indicating mandatory compliance with the HIPAA Privacy Rule.
The Georgia lab should develop accurate measures following HIPAA’s standardized process for maintaining patient records. In addition, they must comply with the workforce training protocols and address requirements for PHI requests.
Furthermore, the policies must state the necessary punishments and penalties for staff who fail to follow the HIPAA Privacy Rule. The corrective action plan also requires the Georgia lab to conduct employee training to ensure full compliance.
Once the HHS approves the policies, Life Hope Labs must task their employees with access requests.
Compliance efforts and reporting requirements
In the last two years, OCR strictly enforces the right of access rule for healthcare organizations. This is to empower patients and provide them with control over their medical records and health decisions.
Importance of Timely Access to Medical Records
The Georgia-based Life Hope Labs’ case is not the first time that such an incident happened in the healthcare industry. That is why having timely access to medical records is essential to ensure patient satisfaction and improve treatment outcomes.
Here are a few reasons why healthcare-related entities should ensure compliance with the patient’s right of access under HIPAA:
Continuity of care
When healthcare providers have immediate access to a patient’s medical history, they can make well-informed decisions about diagnosis and treatment plans.
Enhanced patient safety
During emergencies where patients require urgent care, doctors must have immediate access to a patient’s medical history. Medical records with information about their allergies, medications, and prior medical conditions help prevent other complications.
Improved patient engagement
When patients can access their medical records, they can proactively monitor their treatment plans, test results, and health conditions. This fosters a sense of ownership and control over one’s health, promoting patient-centered care.
OCR’s HIPAA Right of Access Initiative
OCR reached its first settlement for its first case under the Right of Access Initiative in September 2019. “This initiative is part of the agency’s efforts to vigorously inform patients of their rights to receive copies of their medical records promptly and without being overcharged,” OCR said in a press statement.
The investigations covered different healthcare organizations, including a private dental and psychiatry clinic and a vast 17-hospital nonprofit health system.
The HIPAA violations investigated by OCR mostly appear during compliance reviews. Patients and their personal representatives may also file complaints directly to the agency. The concerned parties will get notified once OCR accepts a complaint for investigation. Covered entities must then comply and cooperate to reach a settlement.
In some cases, the investigation may reveal the healthcare organization as not guilty of violating the HIPAA Privacy Rule. However, if the evidence shows that the covered entity did not comply, OCR will obtain the following:
- Voluntary compliance;
- Corrective action; and/or
- Resolution agreement.
In addition, the Office for Civil Rights may impose Civil Monetary Penalties (CMPs) on the covered entity to resolve the case. Meanwhile, the healthcare organization may also request a hearing to present itself in front of an HHS administrative law judge who will decide if the penalties are justified. However, the complainants are not entitled to compensation since the CMPs collected from the covered entities are deposited in the U.S. Treasury.
