Massachusetts Hospital Pays $65,000 Penalty to Settle HIPAA Right of Access Case

The HHS’ Office for Civil Rights has fined Arbour Hospital $65,000 for failing to provide a patient with timely access to his medical records.

The HIPAA Right of Access of the Privacy Rule – 45 C.F.R. § 164.524(b) – gives patients the right to inspect and obtain a copy of their protected health information in a designated record set, for as long as those records are maintained in the designated record set. If a copy of a patient’s medical records is requested in writing, HIPAA-covered entities have a maximum of 30 days to respond to the request, although the records should be provided as soon as possible. In some cases, a 30-day extension to the deadline is possible, such as if the records are not readily accessible. In such cases, a response must be provided to the patient within 30 days providing the reason for the delay.

After receiving many complaints from patients who had not been provided with timely access their medical records, OCR launched a new HIPAA enforcement initiative in 2019.

On July 5, 2019, OCR received a complaint from a patient of Arbour Hospital in Boston, Massachusetts alleging he submitted a written, signed request for a copy of his medical records to Arbour Hospital on May 7, 2019, but had not been provided with those records. OCR contacted the mental health clinic and provided technical assistance to help the hospital comply with the HIPAA Right of Access and closed the investigation.

The patient submitted a second complaint on July 28, 2019 when his records had still not been provided. OCR reopened the investigation, and the patient was provided with a copy of his requested records on November 1, 2019, more than 5 months after he submitted his request.

Had the hospital responded to the patient promptly, or even responded in a timely manner after receiving technical assistance from OCR, a financial penalty could have been avoided.

Arbour Hospital must now pay a penalty of $65,000 and implement a corrective action plan and will be monitored by OCR for 1 year to ensure compliance with the HIPAA Right of Access.

“Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care,” said Acting OCR Director Robinsue Frohboese.

This settlement is the 17th under the HIPAA Right of Access enforcement initiative, and the fifth financial penalty to resolve HIPAA violations to be announced by OCR in 2021.