With Recent Settlements, HHS OCR’s HIPAA Right of Access Initiative Continues To Be a Focus of Enforcement

OCR’s HIPAA Right of Access Initiative shows no signs of slowing down. On July 15, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of 11 more cases at a total of $626,000, bringing the total number of these enforcement actions to 38 since the beginning of OCR’s initiative. The settlements ranged from $3,500 to $240,000.

One factor in the higher settlements is the duration between a Complainant’s request for their records and the time that they are provided. For example, a non-profit health system paid $240,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. The Complainant made an initial, written request for at a minimum, an itemized billing statement, but a copy of her itemized billing statement was not provided to her for 564 days. This is substantially longer than the permitted 30-day response period and allowable 30-day extension.

In another case, a podiatry practice received a civil money penalty when they failed to provide a former patient with his requested medical records. The former patient filed a complaint which OCR investigated and closed. After numerous requests, OCR then received a second complaint from the same individual, alleging that the practice still had not provided the medical records. The former patient notified OCR that they received a copy of their medical records from the practice 618 days after the written access request. To make matters worse, the patient asserted to OCR that the records they received were incomplete. The practice did not respond to multiple data requests from OCR, nor to OCR’s Letter of Opportunity and Notice of Proposed Determination, and OCR imposed a civil money penalty of $100,000.

On the lower end of settlement, a psychiatric practice paid $3,500 after they failed to respond timely to a Complainant’s access request. The practice withheld the Complainant’s access on the basis that the Complainant had an outstanding balance and required a signed request or authorization request. The practice failed to provide access to all of the Complainant’s PHI for nearly six months, and, most importantly, did not provide access until after OCR initiated its investigation. In another case, a dental practice settled for $5,000 when they failed to provide access to a patient’s medical record for three months after the written request was made.

However, the length of time it takes for a Covered Entity to provide patients access to their PHI is not the only factor that OCR considers. Ensuring that the records provided are complete and that there are no impermissible limitations or barriers to their delivery is also important. A practice settled with OCR for $50,000 after they failed to provide a Complainant with a complete copy of their medical records when requested. The practice did partially provide records to the requestor prior to the complaint, and in full after the start of the OCR investigation, but the rule requires the timely provision of all requested records. In two other cases, patient records were withheld and not provided in a timely manner, partly because the patients had an outstanding balance. In one of those cases, the patient requested their medical records to file an appeal with the insurance who denied their claim. This is most likely the same unpaid claim the physician was using as justification for not responding to the patient’s access request. There are very limited reasons why an individual’s request for access to their records can be denied. Unpaid bills are not one of them.

Additionally, a medical practice’s staff’s ignorance and lack of privacy training are insufficient defenses to a complaint. In one case, OCR determined that a practice did not provide a Complainant a complete copy of their designated record set even though it was requested in writing three separate times. The practice offered the argument that its’ failure to provide timely access was due to a former employee’s misunderstanding of an individual’s access rights under HIPAA. OCR did not find this argument compelling as the practice settled for $30,000.

OCR’s initiative to support individuals’ right to timely access their health records under the HIPAA Privacy Rule continues to result in enforcement actions. As seen, by the most recent enforcement actions, covered entities of all sizes should take their HIPAA compliance responsibilities seriously and respond to requests for access in a timely manner. As they’ve made clear with these recent settlements under the right of access initiative, OCR will pursue investigations of any complaint that alleges that an individual was denied access to protected health information. They will seek civil money penalties for violations that are not properly addressed. As Director Pino stated, “…OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.” It may be time to listen.