OCR Announces 18th Settlement Under HIPAA Right of Access Enforcement Initiative

The U.S. Department of Health and Human Services’ Office for Civil Rights has announced its 18th settlement under its HIPAA Right of Access enforcement initiative.

The HIPAA Right of Access is a provision of the Health Insurance Portability and Accountability Act Privacy Rule which gives individuals the right to obtain a copy of the protected health information held by a covered entity, inspect the information, and correct any errors.

When a request for a copy of an individual’s PHI is received by a covered entity, it must respond and provide a copy of those records within 30 days. It is possible to apply for a 30-day extension if the records are not reasonably accessible, and there are limited situations when requests can be denied.

The HIPAA Right of Access enforcement initiative was launched by OCR in 2019 to address widespread noncompliance with this important Privacy Rule provision. So far in 2021, 5 financial penalties have been imposed to resolve HIPAA Right of Access violations.

The latest case involved the Ridgewood, NJ-based plastic surgery practice Village Plastic Surgery. A patient of the practice requested a copy of the medical records held by Village Plastic Surgery, but those records were not provided within 30 days. The patient filed a complaint with OCR on September 7, 2019 and a compliance investigation was launched.

During OCR’s investigation Village Plastic Surgery did not provide the patient with the requested records, although the records were eventually provided. Since the records had not been provided within the allowable 30 days, OCR determined that there had been a violation of the HIPAA Right of Access – 45 C.F.R. § 164.524.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Village Plastic Surgery decided not to contest OCR’s decision and settled the case with no admission of liability. Under the terms of the settlement, Village Plastic Surgery agreed to pay a $30,000 financial penalty and adopt a corrective action plan that requires policies and procedures to be implemented covering access to patient records, and for all staff to be HIPAA trained on the new procedures. OCR will also be monitoring Village Plastic Surgery for continued compliance with the HIPAA Right of Access for 2 years.

“OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner,” said Acting OCR Director Robinsue Frohboese. “Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/