OCR Announces 11th Financial Penalty under HIPAA Right of Access Enforcement Initiative

A Regal Park, NY-based private otolaryngology practitioner has been issued with a $15,000 financial penalty for failing to provide a patient with a copy of her medical records in a timely fashion, in violation of the HIPAA Right of Access standard of the HIPAA Privacy Rule.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) launched a HIPAA compliance investigation after a compliant was received from a patient of Dr. Rajendra Bhayani in September 2018. The complainant alleged a request for access to her medical records was sent to Dr. Bhayani in July 2018 but they were not provided.

OCR intervened and provided technical assistance to Dr. Bhayani and the complaint was closed. OCR received a second complaint in July 2019 from the same complainant alleging Dr. Bhayani had still not provided the medical records as requested.

OCR sent letters to Dr. Bhayani on August 2, 2019 and October 22, 2019 requesting data, but no response was received. OCR determined the failure to provide the patient with a copy of her medical records was in violation of the HIPAA Right of Access standard 45 C.F.R. § 164.524, and the failure to cooperate with the investigation was in violation of 45 CFR § 160.310(b). The patient was provided with her requested medical records in September 2020, 26 months after she had sent her initial request.

The compliance failures were deemed to be severe enough to warrant a financial penalty. OCR notified Dr. Bhayani of its intent to impose a financial penalty and the case was settled with no admission of liability. In addition to the financial penalty, Dr. Bhayani is required to adopt a corrective action plan and will be monitored for compliance for 2 years.

The corrective action plan includes reviewing and revising policies and procedures on providing patients with access to their medical records, which must stipulate the fees that will be charged for providing access and the methods used to calculate those fees. Training on the HIPAA Privacy Rule and providing access to medical records must also be provided to all staff members. The policies and procedures and training materials must be submitted to OCR for review, and quarterly reports detailing access requests and charges and any denials of access must be provided to OCR along with annual reports.

“Doctor’s offices, large and small, must provide patients their medical records in a timely fashion.  We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message,” said OCR Director Roger Severino.

This is the 11th financial penalty Imposed by OCR under the HIPAA Right of Access enforcement initiative which was launched in 2019 and the 17th HIPAA financial penalty of 2020 – That’s the same number of financial penalties that were imposed on covered entities and business associates in the first five years of HIPAA enforcement between 2008 and 2013.