laboratory right of access hipaa

Georgia Lab Resolves HIPAA Violation: OCR Reaches Settlement on Right of Access Case

January 3, 2023 — Life Hope Labs reached a settlement with the Office for Civil Rights (OCR) as part of the corrective action plan to sort out the Right of Access Case investigation.

According to the settlement agreement, the Georgia-based Life Hope Labs will pay $16,500 after failing to provide their patient with timely and complete access to their protected health information (PHI).

Organizations that fail to follow the HIPAA Privacy Rule’s right of access provisions are subject to corrective action plans and monetary penalties. As with the ruling, Life Hope Labs must comply with federal privacy and access requirements.

HIPAA’s Right of Access case with the CAP-accredited lab marks the 43rd case since OCR launched the HIPAA Right of Access Initiative in 2019. The HHS Office for Civil Rights (OCR) continues to discipline healthcare organizations that withhold medical records from patients.

On top of the monetary penalty, Life Hope Labs must follow the corrective action plan, which the OCR will monitor for two years. Furthermore, the lab must develop a written implementation report within 120 days. After which, they must submit the document for approval.

Georgia Lab Resolves HIPAA Violation: OCR Reaches Settlement on Right of Access Case

Allegations of Right of Access Violation

In August 2021, a patient’s representative filed a complaint with OCR stating that Life Hope Labs denied access to her deceased father’s medical records.

The representative requested access to her father’s records on July 7, 2021, and had to wait over seven months before they were released. The delay clearly demonstrated the lab’s failure to provide patients and their representatives with timely access to their requested information.

Eventually, the situation came to the attention of the Office for Civil Rights (OCR), which ultimately ordered an investigation into the alleged violations following the complaint.

Investigation and findings by the OCR

According to the investigation conducted by the OCR, the patient’s personal representative repeatedly reached out to Life Hope Labs, but the said Georgia Lab provided the requested records on February 16, 2022.

In the announcement, the OCR’s director, Melanie Fontes, said, “Access to medical records, including lab results, empowers patients to manage their health better, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories.”

She added, “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.” 

The case findings also showed that Life Hope Labs failed to acknowledge the patient’s right to access his medical records, a clear violation of the HIPAA Privacy Rule. 

That said, the Georgia-based lab is liable for the violation and must comply with the penalties associated with the case. 

Following the investigation, Life Hope Labs should provide a monetary settlement amounting to $16,500. They must also adhere to the corrective action plan, indicating mandatory compliance with the HIPAA Privacy Rule.

The Georgia lab should develop accurate measures following HIPAA’s standardized process for maintaining patient records. In addition, they must comply with the workforce training protocols and address requirements for PHI requests.

Furthermore, the policies must state the necessary punishments and penalties for staff who fail to follow the HIPAA Privacy Rule. The corrective action plan also requires the Georgia lab to conduct employee training to ensure full compliance.

Once the HHS approves the policies, Life Hope Labs must task their employees with access requests. 

Compliance efforts and reporting requirements

In the last two years, OCR strictly enforces the right of access rule for healthcare organizations. This is to empower patients and provide them with control over their medical records and health decisions.

right of access medical records hipaa

Importance of Timely Access to Medical Records

The Georgia-based Life Hope Labs’ case is not the first time that such an incident happened in the healthcare industry. That is why having timely access to medical records is essential to ensure patient satisfaction and improve treatment outcomes.

Here are a few reasons why healthcare-related entities should ensure compliance with the patient’s right of access under HIPAA:

Continuity of care

When healthcare providers have immediate access to a patient’s medical history, they can make well-informed decisions about diagnosis and treatment plans. 

Enhanced patient safety

During emergencies where patients require urgent care, doctors must have immediate access to a patient’s medical history. Medical records with information about their allergies, medications, and prior medical conditions help prevent other complications.

Improved patient engagement

When patients can access their medical records, they can proactively monitor their treatment plans, test results, and health conditions. This fosters a sense of ownership and control over one’s health, promoting patient-centered care.

Georgia Lab Resolves HIPAA Violation: OCR Reaches Settlement on Right of Access Case

OCR’s HIPAA Right of Access Initiative

OCR reached its first settlement for its first case under the Right of Access Initiative in September 2019. “This initiative is part of the agency’s efforts to vigorously inform patients of their rights to receive copies of their medical records promptly and without being overcharged,” OCR said in a press statement.

The investigations covered different healthcare organizations, including a private dental and psychiatry clinic and a vast 17-hospital nonprofit health system.

The HIPAA violations investigated by OCR mostly appear during compliance reviews. Patients and their personal representatives may also file complaints directly to the agency. The concerned parties will get notified once OCR accepts a complaint for investigation. Covered entities must then comply and cooperate to reach a settlement.

In some cases, the investigation may reveal the healthcare organization as not guilty of violating the HIPAA Privacy Rule. However, if the evidence shows that the covered entity did not comply, OCR will obtain the following:

  • Voluntary compliance;
  • Corrective action; and/or
  • Resolution agreement.

In addition, the Office for Civil Rights may impose Civil Monetary Penalties (CMPs) on the covered entity to resolve the case. Meanwhile, the healthcare organization may also request a hearing to present itself in front of an HHS administrative law judge who will decide if the penalties are justified. However, the complainants are not entitled to compensation since the CMPs collected from the covered entities are deposited in the U.S. Treasury.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
hipaa corrective action plan
HIPAA Corrective Action Plan: Steps to Address and Remediate Compliance Issues

Read on to discover why developing and implementing an effective HIPAA corrective action plan can help address violations and mitigate future consequences.

Read Story
telemedicine platform
Top Picks: The Best Telemedicine Platform in 2024

The ever-changing landscape of the healthcare industry means that as a provider, you always have to look for ways to…

Read Story
HIPAA Violation Settlement: Process and Implications
HIPAA Violation Settlement: Process and Implications

Find out how the HIPAA violation settlement process works and the factors affecting the penalties imposed.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.