OCR Announces 19th HIPAA Right of Access Settlement

The U.S. Department of Health and Human Services’ Office for Civil Rights has fined an endocrine disorder specialist $5,000 for failing to comply with the HIPAA Right of Access.

The HIPAA Privacy Rule gives individuals the right to access, inspect, and obtain a copy of their protected health information held by a HIPAA covered entity. When a request is submitted in writing for a copy of PHI, a HIPAA-covered entity must comply with the request and provide the PHI contained in a designated record set within 30 days of the request being received. Individuals are permitted to obtain a copy of their own PHI, and parents and legal guardians are permitted to obtain a copy of the PHI of their minor children.

OCR received a complaint in August 2019 alleging The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) was in violation of the HIPAA Right of Access (45 C.F.R. § 164.524). A woman had submitted a request to DELC in July 2019 for a copy of her minor sons’ PHI and claimed that DELC had refused to provide that information.

OCR launched an investigation into potential noncompliance and informed DELC about the investigation and complaint on October 30, 2019. OCR’s investigation confirmed that the requested records had not been provided in a timely manner. The records were eventually provided, as requested, in May 2021, almost two years after the parent had requested a copy of her sons’ PHI. Without the intervention of OCR, the woman may never have obtained the records.

OCR determined the delay in providing the records was potentially in violation of the 45 C.F.R. § 164.524 and the decision was taken to impose a financial penalty. DELC agreed to settle the case and paid OCR $5,000 to resolve the violation. In addition to the financial penalty, DELC has agreed to a corrective action plan that involves updating its policies and procedures for requests from individuals to access their PHI and training the workforce on this aspect of the HIPAA Privacy Rule. DELC will also be closely monitored by OCR for 2 years to ensure compliance.

“It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records,” said Acting OCR Director Robinsue Frohboese.  “Covered entities owe it to their patients to provide timely access to medical records.”