In late 2019, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a new HIPAA compliance enforcement initiative targeting noncompliance with the HIPAA Right of Access. OCR has recently announced that a further 11 fines have been imposed to resolve violations of the HIPAA Right of access, bringing the total number of civil monetary penalties and settlements under this initiative up to 38.
The latest batch of fines range from $3,500 to $240,000, and all stemmed from complaints from single patients who had not been provided with timely access to their medical records. Under the HIPAA Right of Access, a patient is permitted to obtain a copy of their medical records – contained in a designated record set – from a healthcare provider or health plan. Those records must be provided in the format requested by the patient – electronic or paper – within 30 days of receipt of the request. In limited situations, a 30-day extension can be obtained for providing those records. In one of the latest cases, it took 564 days from the initial request for all the requested records to be provided, resulting in a €240,000 settlement.
The latest batch of fines includes two notable cases where patients have requested a copy of their medical records from a healthcare provider, but the requests were put on hold due to the non-payment of medical bills. One of the cases involved a refusal to provide the records as medical bills had not been paid in full, and another where the records were not provided because a patient’s insurance had not covered the cost of treatment. In the latter case, the patient needed a copy of the records to appeal the decision of the insurance company, yet the records were not provided in time. In fact, they were not provided at all, despite the intervention of OCR. In that case, OCR imposed a civil monetary penalty of $100,000.
The HIPAA Right of Access is a fundamental right for patients that was introduced by the HIPAA Privacy Rule. If a valid request is received from a patient, the records must be provided even if the patient has not paid for their medical treatment in full.
Some of the violations have resulted from a misunderstanding of when medical records can be provided to a patient’s nominated representative, such as to a parent of a minor. OCR has clarified that such disclosures of the records are permitted. “An individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual) also has the right to access PHI about the individual in a designated record set (as well as to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice),” and has previously written guidance for HIPAA-covered entities on personal representatives.
Further clarification on the HIPAA Right of Access can be found on the HHS website.
July 2022 HIPAA Right of Access Financial Penalties
|HIPAA Covered Entity||State||Penalty Type||Penalty Amount||Reason|
|Memorial Hermann Health System||TX||Settlement||$240,000||564 days to provide complete records|
|ACPM Podiatry||IL||Civil Monetary Penalty||$100,000||Failure to provide records due to outstanding bills, even with intervention by OCR|
|Southwest Surgical Associates||TX||Settlement||$65,000||13 months to provide the requested records|
|Hillcrest Nursing and Rehabilitation||MA||Settlement||$55,000||7 months to provide records to a personal representative of the patient|
|MelroseWakefield Healthcare||MA||Settlement||$55,000||4 months to provide records to a personal representative of the patient|
|Erie County Medical Center Corporation||NY||Settlement||$50,000||Impermissible delay in providing records to a patient’s personal representative|
|Fallbrook Family Health Center||NE||Settlement||$30,000||Impermissible delay in providing records to a patient|
|Associated Retina Specialists||NY||Settlement||$22,500||5 months to provide records to a patient|
|Coastal Ear, Nose, and Throat||FL||Settlement||$20,000||5 months to provide records to a patient|
|Lawrence Bell, Jr. D.D.S||MD||Settlement||$5,000||3 months to provide records to a patient|
|Danbury Psychiatric Consultants||MA||Settlement||$3,500||6-month delay in providing records due to outstanding bill|
“It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino. “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”