OCR Settles HIPAA Right of Access Investigation with Phoenix Healthcare

Another healthcare provider has paid a financial penalty after failing to comply with the HIPAA Right of Access. This is the 47th financial penalty imposed by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) since it launched its HIPAA Right of Access enforcement initiative in 2019.

Phoenix Healthcare has agreed to pay a financial penalty of $35,000 to resolve the alleged HIPAA violation and implement a corrective action plan that involves updating its policies and procedures for providing patients and their personal representatives with access to medical records that they are entitled to view, and to provide training to the workforce on the new procedures.

OCR investigated a complaint from the personal representative (daughter) of a patient (her mother) who had received care at Phoenix Healthcare, the operator of several nursing facilities in Oklahoma. The daughter made multiple requests to obtain a copy of her mother’s medical records but was not provided with the requested records. It took 323 days from the initial request for Phoenix Healthcare to provide the records when the HIPAA Right of Access requires the records to be provided within 30 days, or within 60 days in certain circumstances.

OCR determined that the failure to provide timely access to the medical records constituted a violation of the HIPAA Right of Access and notified Phoenix Healthcare of its intention to impose a $250,000 financial penalty. Rather than agreeing to settle with OCR, Phoenix Healthcare requested the case be reviewed by an Administrative Law Judge (ALJ). The ALJ upheld OCR’s determination that there had been a violation of the HIPAA Right of Access and willful neglect of the HIPAA Rules and ordered Phoenix Healthcare to pay a reduced penalty of $75,000. Phoenix Healthcare appealed the ALJ’s decision, but the Departmental Appeals Board affirmed the ALJ’s decision and the $75,000 financial penalty.

OCR chose to settle with Phoenix Healthcare for a reduced penalty of $35,000 provided that Phoenix Healthcare did not challenge the decision further and agreed to comply with the corrective action plan. If Phoenix Healthcare does not comply with the corrective action plan, it will be required to pay the full $75,000 civil monetary penalty.

“Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative,” said OCR Director Melanie Fontes Rainer. “Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions. It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.”


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/