In 2019, the HHS’ Office for Civil Rights launched an enforcement initiative targeting organizations that had not complied with the HIPAA Right of Access.
The HIPAA Privacy Rule gives individuals the right to inspect and obtain a copy of their health data, in a timely manner, for a reasonable cost-based fee. If an individual requests a copy of their own PHI or the PHI of an individual for whom they are the personal representative, a copy of the health data stored in a designated record set must be provided within 30 days of the request being received.
In 2019, OCR settled two cases with HIPAA covered entities under the HIPAA Right of Access initiative. Both entities had failed to provide patients with a copy of their health data and were each fined $85,000.
This week, OCR announced that five more entities have been ordered to pay a financial penalty to resolve potential violations of the HIPAA Right of Access. In addition to the financial penalty, each is required to adopt a corrective action plan to address the noncompliance and each will be monitored closely by OCR for one or two years (depending on each case) to ensure continued compliance.
The purpose of the fines is to send a message to all HIPAA covered entities and business associates that noncompliance with the HIPAA Right of Access will not be tolerated.
“Patients can’t take charge of their health care decisions, without timely access to their own medical information,” said OCR Director Roger Severino. “Today’s announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough.”
The financial penalties are based on several factors including the severity of the violation, the number of people affected, the nature of any harm caused, the ability of an entity to pay, the entity’s history of compliance, the size of the entity, and the impact of the COVID-19 public health emergency. The latest cases were settled for between $3,500 and $70,000.
All cases were investigated after OCR received a complaint from an individual who had requested a copy of their health data from their provider, only for the request to be ignored or denied. In each case, it took intervention from OCR for medical records to be provided.
HIPAA Right of Access Settlements
Wise Psychiatry, PC
Wise Psychiatry is a small Colorado-based provider of psychiatric services. OCR received a complaint from an individual in February 2018 that alleged Wise Psychiatry failed to provide a personal representative with access to his (minor) son’s medical records. OCR provided technical assistance to Wise Psychiatry on the HIPAA Right of Access and closed the case in April 2018. A second complaint was submitted by the same individual in October 2018 when his son’s records had still not been provided. Those records were eventually provided in May 2019.
Penalty: $10,000; Corrective Action Plan; 1 year of monitoring
King MD is a small Virginia-based provider of psychiatric services. OCR received a complaint from an individual in October 2018 that alleged King MD failed to provide access to her medical records. OCR provided technical assistance to King MD on the HIPAA Right of Access and closed the case in August 2018. A second complaint was submitted by the same individual in February 2019 when her medical records had still not been provided. The woman received her medical records in July 2020.
Penalty: $3,500; Corrective Action Plan; 2 years of monitoring
Beth Israel Lahey Health Behavioral Services
Beth Israel Lahey Health Behavioral Services (BILHBS) is an eastern Massachusetts health network providing mental health and substance use disorder services.
OCR received a complaint from an individual in April 2019 alleging BILHBS failed to respond to a February 2019 request from an individual to access her father’s health records. The woman was the personal representative of her father. The woman received her father’s medical records in October 2019 after OCR’s intervention.
Penalty: $70,000; Corrective Action Plan; 1 year of monitoring
All Inclusive Medical Services, Inc.
All Inclusive Medical Services, Inc. (AIMS) is a is a multi-specialty family medicine clinic based in Carmichael, CA. OCR received a complaint from an individual in April 2018 alleging AIMS refused to provide medical records to a patient in January 2018. Following the intervention of OCR, AIMS provided those records in August 2020.
Penalty: $15,000; Corrective Action Plan; 2 years of monitoring
Housing Works, Inc.
Housing Works is a NYC-based provider of healthcare, homeless services, and other services for people living with or affected by HIV/AIDS. OCR received a complaint from an individual in July 2019 claiming Housing Works failed to respond to a request for a copy of his health data that was sent the previous month. OCR provided Housing Works with technical assistance on the HIPAA Right of Access requirements and closed the complaint.
The same individual submitted a further complaint in August 2019, as he had still not been provided with his medical records. OCR intervened and he finally received his medical records in November 2019.
Penalty: $38,000; Corrective Action Plan; 1 year of monitoring