OCR Continues Crackdown on HIPAA Right of Access Violations with 11 More Fines

In late 2019, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a new HIPAA compliance enforcement initiative targeting noncompliance with the HIPAA Right of Access. OCR has recently announced that a further 11 fines have been imposed to resolve violations of the HIPAA Right of access, bringing the total number of civil monetary penalties and settlements under this initiative up to 38.

The latest batch of fines range from $3,500 to $240,000, and all stemmed from complaints from single patients who had not been provided with timely access to their medical records. Under the HIPAA Right of Access, a patient is permitted to obtain a copy of their medical records – contained in a designated record set – from a healthcare provider or health plan. Those records must be provided in the format requested by the patient – electronic or paper – within 30 days of receipt of the request. In limited situations, a 30-day extension can be obtained for providing those records. In one of the latest cases, it took 564 days from the initial request for all the requested records to be provided, resulting in a €240,000 settlement.

The latest batch of fines includes two notable cases where patients have requested a copy of their medical records from a healthcare provider, but the requests were put on hold due to the non-payment of medical bills. One of the cases involved a refusal to provide the records as medical bills had not been paid in full, and another where the records were not provided because a patient’s insurance had not covered the cost of treatment. In the latter case, the patient needed a copy of the records to appeal the decision of the insurance company, yet the records were not provided in time. In fact, they were not provided at all, despite the intervention of OCR. In that case, OCR imposed a civil monetary penalty of $100,000.

The HIPAA Right of Access is a fundamental right for patients that was introduced by the HIPAA Privacy Rule. If a valid request is received from a patient, the records must be provided even if the patient has not paid for their medical treatment in full.

Some of the violations have resulted from a misunderstanding of when medical records can be provided to a patient’s nominated representative, such as to a parent of a minor. OCR has clarified that such disclosures of the records are permitted. “An individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual) also has the right to access PHI about the individual in a designated record set (as well as to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice),” and has previously written guidance for HIPAA-covered entities on personal representatives.

Further clarification on the HIPAA Right of Access can be found on the HHS website.

July 2022 HIPAA Right of Access Financial Penalties

HIPAA Covered Entity State Penalty Type Penalty Amount Reason
Memorial Hermann Health System TX Settlement $240,000 564 days to provide complete records
ACPM Podiatry IL Civil Monetary Penalty $100,000 Failure to provide records due to outstanding bills, even with intervention by OCR
Southwest Surgical Associates TX Settlement $65,000 13 months to provide the requested records
Hillcrest Nursing and Rehabilitation MA Settlement $55,000 7 months to provide records to a personal representative of the patient
MelroseWakefield Healthcare MA Settlement $55,000 4 months to provide records to a personal representative of the patient
Erie County Medical Center Corporation NY Settlement $50,000 Impermissible delay in providing records to a patient’s personal representative
Fallbrook Family Health Center NE Settlement $30,000 Impermissible delay in providing records to a patient
Associated Retina Specialists NY Settlement $22,500 5 months to provide records to a patient
Coastal Ear, Nose, and Throat FL Settlement $20,000 5 months to provide records to a patient
Lawrence Bell, Jr. D.D.S MD Settlement $5,000 3 months to provide records to a patient
Danbury Psychiatric Consultants MA Settlement $3,500 6-month delay in providing records due to outstanding bill

 “It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino.  “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”