OCR Issues 8th HIPAA Penalty Under HIPAA Right of Access Enforcement Initiative

St. Joseph’s Hospital and Medical Center HIPAA Fine

The Department of Health and Human Services’ Office for Civil Rights has imposed its 8th HIPAA penalty on a healthcare provider for the failure to comply with the Right of Access requirement of the HIPAA Privacy Rule.

The HIPAA Privacy Rule gives patients the right to obtain a copy of their protected health information (PHI) in one or more “designated record sets” maintained by or for a HIPAA-covered entity. The PHI must be provided within 30 days of the request being received.

A mother, acting as her son’s personal representative, sent a request for a copy of her son’s medical records to Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), on January 24, 2018.

SJHMC responded but failed to provide all of the requested records. On April 25, 2018, the mother submitted a complaint to the HHS’ Office for Civil Rights.

OCR investigated the complaint and determined the mother had requested four specific sets of PHI from SJHMC. The first request was received by SJHMC on January 24, 2018. Further requests for the same records were received on March 22, April 3, and May 2, 2018.

The mother contacted SJHMC on May 2, May 10, and May 15, 2018 to request the records that had not been provided.  SJHMC did respond and provided copies of her son’s medical records but did not send the specific PHI that had been requested. It took 22 months for all of the requested medical records to be provided. The mother finally received all requested PHI on December 19, 2019.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

SJHMC agreed to settle the case with no admission of liability and paid a $160,000 financial penalty to OCR. SJHMC also agreed to adopt a corrective action plan and will be monitored by OCR for two years.

“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.  OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/