HHS Announces Largest Ever Financial Penalty for HIPAA Right of Access Failure

The U.S. Department of Health and Human Services has issued its largest ever HIPAA fine for noncompliance with the HIPAA Right of Access. Banner Health settled its HIPAA case with OCR and paid a $200,000 penalty.

The HIPAA Privacy Rule requires healthcare organizations to provide patients with a copy of their protected health information within 30 days of a request being received. OCR launched a HIPAA Right of Access enforcement initiative in late 2019 due to widespread noncompliance with this important HIPAA standard.

In 2019, OCR issued two fines for noncompliance with the HIPAA Right of Access, a further 11 financial penalties were announced in 2020, and Banner Health’s fine brings the total to 14.

OCR had received two complaints from the legal representatives of patients alleging they had been made to wait months for copies of their medical records. One patient had sent a request to Banner Estrella Medical Center in December 2017 for a copy of her medical records and had to wait until May 2018 for the records to be provided. A second patient submitted a request for a copy of his medical records to Banner Gateway Medical Center in September 2019 but was not provided with a copy of his records until February 2020.

OCR investigated and determined that Banner Health had potentially violated the HIPAA Right of Access by not providing the records within 30 days.

In addition to the financial penalty, Banner Health has agreed to adopt a corrective action plan and ensure that policies and procedures are developed and implemented across its 30 hospitals and numerous primary care, urgent care, and specialty care facilities to ensure that requests for access to PHI are dealt with in a timely way. OCR will be monitoring Banner Health for two years to ensure compliance.

These settlements send a message to healthcare organizations that compliance with the HIPAA Right of Access is not optional. When individuals are not provided with timely access to their medical records, for a reasonable cost-based fee, a significant financial penalty can be expected.

“This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records,” said OCR Director Roger Severino.