OCR Announces 5 Financial Penalties to Resolve HIPAA Right of Access Investigations

The HHS’ Office for Civil Rights has settled 4 more investigations into potential HIPAA Right of Access violations and has imposed one civil monetary penalty for the failure to provide timely access to medical records.

The HIPAA Privacy Rule introduced several new rights for patients, one of which is the right to access protected health information in a designated record set. A designated record set is a group of records maintained by or on behalf of a covered entity. The information contained in that set of data includes medical records, billing records, enrollment, payment, claims and adjudication information, and other information that is used to make decisions about individuals.

If an individual makes a request for information, such as their medical records, a covered entity must provide them within 30 calendar days, although covered entities are encouraged to respond to requests as soon as possible. A 30-day extension to the deadline is permitted in some situations, such as if the records are archived offsite, and some records must not be provided, such as psychotherapy notes.

The HHS’ Office for Civil Rights launched a new enforcement initiative in 2019 to tackle widespread noncompliance with this important HIPAA provision and that enforcement initiative remains in effect to this day. On November 30, 2021, OCR announced five more enforcement actions under this initiative, where HIPAA-covered entities failed to comply with the HIPAA Right of Access. In all cases, the enforcement actions stemmed from complaints filed with OCR by patients who had not been provided with timely access to their medical records.

OCR investigated all 5 cases and determined the failure to provide timely access to individuals’ protected health information violated 45 C.F.R. § 164.524 of the HIPAA Privacy Rule and that the delays warranted a financial penalty. Including these enforcement actions, OCR has imposed 25 financial penalties under its HIPAA Right of Access enforcement initiative.

Four of the five HIPAA Right of Access cases were settled with OCR, with the investigated healthcare providers agreeing to pay a financial penalty, update their policies and procedures, and provide training on the new procedures to their workforce. OCR will also subject those entities to a period of monitoring to ensure continued compliance.

One covered entity did not cooperate with OCR’s investigation, did not respond to requests to provide data to OCR, did not respond to OCR’s proposed determination or notice of final determination, and rejected the right to a hearing. In that case, a civil monetary penalty was imposed.

HIPAA-Covered Entity Penalty Type Amount
Rainrock Treatment Center dba Monte Nido Rainrock Settlement $160,000
Advanced Spine & Pain Management Settlement $132,150
Dr. Robert Glaser Civil Monetary Penalty $100,000
Denver Retina Center Settlement $30,000
Wake Health Medical Group Settlement $10,000

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

About Ryan Coyne 218 Articles
Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan’s professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn https://www.linkedin.com/in/ryancoyne/ and follow on Twitter https://twitter.com/ryancoyne