10th Financial Penalty Announced Under OCR’s HIPAA Right of Access Enforcement Initiative

HIPAA Compliance Guide

The HHS’ Office for Civil Rights has made good on its promise to step up enforcement of compliance with the HIPAA Right of Access provision of the HIPAA Privacy Rule.

On Friday, November 6, 2020, OCR announced a tenth financial penalty had been imposed on a healthcare provider for failing to provide a patient with a copy of their medical records, as requested, within a reasonable time frame.

The HIPAA Right of Access gives patients the right to request a copy of their medical records. HIPAA-covered entities must supply a copy of medical records in a designated record set within 30 days of the request being received. This is an important provision of HIPAA as it empowers patients to take an active role in their healthcare. Patients can check their medical records for errors and have errors corrected, it puts patients in control of their records and allows them to share them with whomever they see fit, and it also ensures that in the event of disaster, such as a ransomware attack for instance, their records will always be available to them.

The latest financial penalty was imposed on Riverside, CA-based Riverside Psychiatric Medical Group. OCR received a complaint from a patient in March 2019 alleging the healthcare provider had failed to provide a copy of her records within a month, despite her making multiple requests. The first request was sent to the practice in February 2019.

OCR contacted Riverside Psychiatric Medical Group after receiving the complaint and provided technical assistance to help the practice comply with the HIPAA Right of Access and then closed the case, but the case was reopened when the patient submitted a second complaint to OCR in April 2019 saying her medical records had still not been provided.

Riverside Psychiatric Medical Group maintained the request did not need to be honored as the patient’s medical records included psychotherapy notes, which the HIPAA Privacy Rule does not give patients the right to access. OCR explained that while that is true for psychotherapy notes, other parts of the medical records should be provided as requested. In cases where a request for medical records is denied, in full or in part, a written response must be provided to the patient explaining why the request has been denied. Riverside Psychiatric Medical Group had not written to the patient to explain the decision.

Following OCR’s intervention, the patient was provided with a copy of her medical records, without the psychotherapy notes, in October 2019. In addition to the financial penalty, Riverside Psychiatric Medical Group is required to adopt a corrective action plan to address areas of noncompliance and will be monitored by OCR for two years.