In 2019, the Department of Health and Human Services’ Office for Civil Rights announced a new HIPAA enforcement initiative to encourage compliance with the HIPAA Right of Access provision of the HIPAA Privacy Rule. This provision (45 C.F.R. § 164.524) gives individuals the right to access their health information and obtain a copy of that information, and to only be charged a reasonable cost-based fee for obtaining the records.
After it became clear that there was widespread noncompliance and patients were being denied access to their health data, OCR made this HIPAA provision an enforcement priority. Two financial penalties were imposed on covered entities in 2019 for failing to provide patients with a copy of their records in a timely manner – within the 30 days allowed by the HIPAA Privacy Rule – and a further 11 financial penalties have been imposed in 2020 for similar violations.
The thirteenth penalty, announced by OCR on December 22, 2020, was imposed on Peter Wrobel, M.D., P.C., doing business as Elite Primary Care. As has been the case with the other HIPAA Right of Access settlements, an investigation was launched by OCR after receiving a complaint from a patient who had not been provided with their health records within 30 days of submitting a request. In this case, the patient had been denied a copy of his medical records after requesting access and submitted a complaint to OCR on April 22, 2019.
OCR provided technical assistance and instructed the practice to review the request and provide access, if permitted by the HIPAA Privacy Rule. The patient submitted a formal request in writing for a copy of his records, which was received by the practice on June 5, 2019. When those records were again not provided, the patient submitted a second complaint to OCR on October 9, 2019. The practice sent the patient’s records to his new healthcare provider on November 21, 2019 and gave the patient a copy of the requested records on May 8, 2020.
The delay in providing the records earned the practice a financial penalty of $36,000. Elite Primary Care is also required to adopt a corrective action plan that involves developing, implementing, and maintaining policies and procedures relating to the HIPAA Right of Access and training staff on those policies and procedures. The practice will also be monitored closely by OCR for 2 years to ensure continued compliance.
“OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records. Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee,” said OCR Director Roger Severino.