HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure

The Department of Health and Human Services’ Office for Civil Rights has announced its 12th HIPAA penalty of 2020 and its 8th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records.

On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights.

OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018.

SJHMC did respond to the requests and provided some, but not all, of the requested records. The mother made contact with SJHMC again on May 2, May 10 and May 15, 2018 to request the records that had not been provided. SJHMC responded and sent additional records, but not the specific records that had been requested. It took until December 19, 2019 for SJHMC to provide all the records she had requested – 22 months after the initial request had been sent.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

SJHMC agreed to pay the $160,000 financial penalty to settle the case with no admission of liability. SJHMC will also adopt a corrective action plan to address all areas of noncompliance and will be monitored for compliance by OCR for two years.

“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.  OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.