OCR Announces 11 Further Financial Penalties for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights has sent a warning to healthcare providers about the importance of compliance with the HIPAA Right of Access with the announcement that a further 11 financial penalties for HIPAA-covered entities that have failed to provide patients with timely access to their medical records. The latest batch of enforcement actions brings the total number of financial penalties imposed under the HIPAA Right of Access enforcement initiative up to 38.

The HIPAA Right of Access gives people the right to inspect their protected health information that is held by a HIPAA-covered entity, check the information for errors, and request that any errors are corrected. People can also request a copy of their protected health information from healthcare providers and health plans. When such a request is made, the requested information must be provided in full within 30 days of the request being received. In very limited circumstances, an extension of 30 days is allowed. Requests can be submitted by patients or their nominated representatives, and parents and legal guardians of minors are permitted to obtain a copy of their minor’s records. Any individual requesting a copy of their records can only be charged a reasonable, cost-based fee for obtaining a copy of their records. The records should be provided in the format requested by the patient, provided the HIPAA-covered entity has the technical capability to provide records in that format.

OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019 in response to reports of widespread noncompliance with this important HIPAA right. “It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino.  “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”

HIPAA Right of Access Penalties

The latest penalties were all imposed for the failure to provide timely access to an individual’s medical records, rather than for charging unreasonable fees for exercising the Right of Access. All but one of these cases was settled with OCR, with the covered entities also agreeing to a corrective action plan to address the non-compliance and prevent further violations.

Please see the HIPAA Journal Privacy Policy

One HIPAA-covered entity refused to cooperate with OCR’s requests, resulting in a civil monetary penalty. ACPM Podiatry had received a request from a former patient for a copy of his medical records. OCR was notified on April 8, 2019, that ACPM had refused to provide those records. OCR provided technical assistance to ACPM on April 18, 2019, confirming that the records must be provided under HIPAA. The investigation was closed. A second complaint was then filed with OCR a month later when the records had still not been provided.

OCR’s investigation revealed the records had been withheld as the complainant’s insurance company had not paid the bill, but the complainant said the records were required in order to appeal the unfavorable decision, and that the records were necessary to file that appeal. While there was contact between OCR and ACPM Podiatry, ACPM failed to respond to OCR’s data access requests, OCR’s notice of proposed determination of a financial penalty, nor the Letter of Opportunity to provide evidence of mitigating factors, resulting in a civil monetary penalty being imposed.

Three of the enforcement actions stemmed from a HIPAA-covered entity failing to provide a patient’s nominated representative with a copy of the requested records when HIPAA allows the release of records to a personal representative. Two cases involved the withholding of a patient’s medical records due to outstanding medical bills. A patient’s right to obtain a copy of their medical records is not conditional on whether payment for medical services has been made in full.

A summary of each financial penalty has been provided in the table below.

HIPAA Covered Entity State Penalty Type Penalty Amount Individuals Affected Alleged Violation Reason
ACPM Podiatry IL Civil Monetary Penalty $100,000 1 Untimely Access Records not provided
Memorial Hermann Health System TX Settlement $240,000 1 Untimely Access Records not provided in full for 564 days from the initial request
Southwest Surgical Associates TX Settlement $65,000 1 Untimely Access Records not provided for 13 months
Hillcrest Nursing and Rehabilitation MA Settlement $55,000 1 Untimely Access Records not provided to a personal representative for 7 months
MelroseWakefield Healthcare MA Settlement $55,000 1 Untimely Access Failure to provide records to a patient’s nominated representative for 4 months
Erie County Medical Center Corporation NY Settlement $50,000 1 Untimely Access Failure to provide the requested records to a patient’s nominated representative
Fallbrook Family Health Center NE Settlement $30,000 1 Untimely Access Unspecified delay in providing requested records
Associated Retina Specialists NY Settlement $22,500 1 Untimely Access Failure to provide patient with access to records for 5 months
Coastal Ear, Nose, and Throat FL Settlement $20,000 1 Untimely Access Failure to provide patient with access to records for 5 months
Lawrence Bell, Jr. D.D.S MD Settlement $5,000 1 Untimely Access Failure to provide records for more than 3 months
Danbury Psychiatric Consultants MA Settlement $3,500 1 Untimely Access Withheld records for 6 months as the patient had an outstanding medical bill

OCR has now imposed 122 financial penalties on HIPAA-regulated entities to resolve HIPAA violations since 2008. The latest batch of HIPAA penalties brings the total enforcement actions in 2022 involving a financial penalty up to 16, exceeding the financial penalties imposed in all of 2021 by 2.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.