The Department of Health and Human Services’ Office for Civil Rights (OCR) launched an enforcement initiative in the fall of 2019 to crack down on non-compliance with the HIPAA Right of Access. On November 30, 2021, OCR announced a further 5 enforcement actions against healthcare providers who had failed to provide patients with timely access to their medical records. The latest fines mean OCR has imposed a total of 25 financial penalties under this enforcement initiative.
When a request for access to medical records is received, covered entities have up to 30 days to provide the requested records, but are permitted a further 30 days to provide records in limited circumstances, such as if the requested records have been archived and stored offsite. OCR encourages HIPAA-covered entities to process the record requests as soon as possible.
Individuals are permitted to request a copy of their own records – contained in a designated record set – and an individual’s personal representative also has the right to obtain a copy of that individual’s records. Those records should be provided in an electronic format if requested by the patient, provided the records can be readily provided in that format.
In addition to having a right to obtain a copy of medical records, patients also have the right to file a complaint with OCR about non-compliance with the HIPAA Rules, including the failure to comply with the HIPAA Right of Access. In all of the 5 recent enforcement actions, patients filed a complaint with OCR when they had not been provided with the requested records within the timeframe allowed by the HIPAA Privacy Rule.
Four healthcare providers accepted OCR’s determination and agreed to pay a financial penalty to settle the investigation with no admission of liability. Under the terms of the settlements, they are required to adopt a corrective action plan that involves updating their Right of Access policies and procedures and providing training to the workforce on the new policies and procedures.
When covered entities fail to cooperate with OCR investigations and HIPAA violations are discovered, OCR can pursue civil monetary penalties. In one case, a doctor did not co-operate or respond to OCR’s data requests and waived the right to a hearing about OCR’s proposed determination. In that case, a civil monetary penalty was imposed.
In all cases, OCR determined the patients who filed complaints had not been provided with timely access to their medical records, which was in violation of 45 C.F.R. § 164.524 of the HIPAA Privacy Rule.
- Eugene, OR-based Rainrock Treatment Center dba Monte Nido Rainrock settled its case and paid a $160,000 penalty
- Springboro, OH-based Advanced Spine & Pain Management settled its case and paid a $132,150 penalty
- Denver, CO-based Denver Retina Center settled its case and paid a $30,000 penalty
- Wake Health Medical Group settled its case and paid a $10,000
- A civil monetary penalty of $100,000 was imposed on New Hyde Park, NY-based Dr. Robert Glaser
“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”