The HHS’ Office for Civil Rights has settled 4 more investigations into potential HIPAA Right of Access violations and has imposed one civil monetary penalty for the failure to provide timely access to medical records.
The HIPAA Privacy Rule introduced several new rights for patients, one of which is the right to access protected health information in a designated record set. A designated record set is a group of records maintained by or on behalf of a covered entity. The information contained in that set of data includes medical records, billing records, enrollment, payment, claims and adjudication information, and other information that is used to make decisions about individuals.
If an individual makes a request for information, such as their medical records, a covered entity must provide them within 30 calendar days, although covered entities are encouraged to respond to requests as soon as possible. A 30-day extension to the deadline is permitted in some situations, such as if the records are archived offsite, and some records must not be provided, such as psychotherapy notes.
The HHS’ Office for Civil Rights launched a new enforcement initiative in 2019 to tackle widespread noncompliance with this important HIPAA provision and that enforcement initiative remains in effect to this day. On November 30, 2021, OCR announced five more enforcement actions under this initiative, where HIPAA-covered entities failed to comply with the HIPAA Right of Access. In all cases, the enforcement actions stemmed from complaints filed with OCR by patients who had not been provided with timely access to their medical records.
OCR investigated all 5 cases and determined the failure to provide timely access to individuals’ protected health information violated 45 C.F.R. § 164.524 of the HIPAA Privacy Rule and that the delays warranted a financial penalty. Including these enforcement actions, OCR has imposed 25 financial penalties under its HIPAA Right of Access enforcement initiative.
Four of the five HIPAA Right of Access cases were settled with OCR, with the investigated healthcare providers agreeing to pay a financial penalty, update their policies and procedures, and provide training on the new procedures to their workforce. OCR will also subject those entities to a period of monitoring to ensure continued compliance.
One covered entity did not cooperate with OCR’s investigation, did not respond to requests to provide data to OCR, did not respond to OCR’s proposed determination or notice of final determination, and rejected the right to a hearing. In that case, a civil monetary penalty was imposed.
| HIPAA-Covered Entity | Penalty Type | Amount |
| Rainrock Treatment Center dba Monte Nido Rainrock | Settlement | $160,000 |
| Advanced Spine & Pain Management | Settlement | $132,150 |
| Dr. Robert Glaser | Civil Monetary Penalty | $100,000 |
| Denver Retina Center | Settlement | $30,000 |
| Wake Health Medical Group | Settlement | $10,000 |
“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”