OCR Announces 42nd Financial Penalty for a HIPAA Right of Access Violation

The Right of Access provision of the HIPAA Privacy Rule permits patients to obtain a copy of their medical records in the format of their choosing, and those records must be provided within 30 days. In some situations when that is not possible, an additional 30 days is permitted. In response to multiple complaints about healthcare providers failing to provide the requested records within that time frame, the HHS’ Office for Civil Rights (OCR) launched a HIPAA enforcement initiative in late 2019 targeting this aspect of non-compliance. As of today, December 16, 2022, 42 enforcement actions have resulted in financial penalties and OCR has doled out more than $2.4 million in fines.

The latest enforcement action – OCR’s second this month – was against the Orlando-based primary care provider Health Specialists of Central Florida Inc. Health Specialists of CF received a medical record access request from an individual on August 29, 2019. That individual sent an Authorization for Release of Medical Record Information form and a copy of the original Letters of Administration, seeking a copy of the medical records of her deceased father. Health Specialists of CF failed to provide the complete set of records despite multiple requests, prompting the woman to file a complaint with OCR on November 22, 2019. The complete records were eventually provided on January 27, 2020, almost five months after the initial request.

The HIPAA Privacy Rule (45 C.F.R. § 164.524) is clear about the maximum time frame for providing a copy of requested records. OCR determined that the unnecessary delay was a violation of the HIPAA Right of Access. Health Specialists of CF agreed to settle the case and pay a $20,000 financial penalty, adopt a corrective action plan to address the non-compliance and will be monitored by OCR for two years.

“The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously. We will continue to ensure that health care providers and health plans take this right seriously and follow the law,” said OCR Director, Melanie Fontes Rainer. “Today’s announcement speaks to the importance of accessing information and regulated entities taking steps to implement procedures and workforce HIPAA training to ensure that they are doing all they can to help patients access.”

All 42 cases have stemmed from complaints from individuals who have been denied access to their medical records or have faced unacceptable delays in obtaining a copy of their records and OCR officials have stated their intention to continue to target this aspect of non-compliance.  It is therefore vital that policies and procedures are in place to allow medical record access requests to be satisfied promptly and to ensure that any fees charged for providing those records are reasonable and cost-based.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/