ekg chart

HIPAA Enforcement is Alive and Well – Patient Right of Access

Updated November 12, 2020

Patients have the right to see their own medical records. This simple concept is a HIPAA requirement and is easy to comply with. Yet many healthcare providers misunderstand it and create roadblocks or unnecessary delays. A better idea would be to understand the rule and make sure to comply – and avoid investigations and fines.

Right of Access Initiative – Eleven Settlements so Far

The Office for Civil Rights (OCR), the agency that enforces HIPAA, has long considered the patient right of access a priority, and has settled a total of eleven investigations under its Right of Access Initiative.

In September OCR announced resolution agreements with five healthcare providers that failed to provide access as HIPAA requires. The fines for the five settlements range from $3,500 to $70,000

In September, 2019 OCR announced its first enforcement action and settlement in its Right of Access Initiative. OCR settled a second right of access investigation in December, 2019 with Korunda Medical, LLC, who paid $85,000.

OCR announced the Initiative in 2019 as an enforcement priority to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. The five settlements announced on September 15, 2020 bring OCR’s total to seven completed enforcement actions under the Right of Access Initiative.

OCR announced four more Right of Access investigation settlements in October and November: on October 7, October 9, November 6, and November 12, 2020, bringing the total number of cases to eleven since the Right of Access Initiative began last year.

But long before, OCR has cautioned that obstacles to patients receiving access were HIPAA violations. In 2016 for example, OCR warned that requiring someone to execute an “authorization” in order to obtain access to their own records may create an impermissible obstacle under HIPAA. Learn about the difference between authorization and access here.

Five Recent Cases Enforcing Right of Access

In addition to the fines, each of the covered entities agreed to adopt a corrective action plan (CAP) to improve HIPAA compliance.

Behavioral Health, Nonprofits and Small Providers are not Immune to Enforcement

Several things stand out about these five cases. Three of them provide behavioral health services and two of them are quite small. The smaller organizations paid smaller fines, but they were still investigated, and must implement “corrective actions” to improve compliance and be monitored by OCR going forward, like the other three. Another factor is that each of the investigations could have been resolved earlier without fines, but the patterns were the same – they did not take the investigation seriously or act quickly enough. Policies were absent, or weren’t being followed.

The message is clear, whether small or large, for profit or not for profit, all covered entities are expected to take HIPAA seriously, know the rules, and follow through.

$38,000 – Housing Works, Inc. 

This non-profit organization provides healthcare, homeless services, job training and advocacy and legal aid support for people living with and affected by HIV/AIDS in New York city. (agreed to a one-year CAP)

$15,000 – All Inclusive Medical Services, Inc.

AIMS, based in Carmichael, California, is a multi-specialty family medicine clinic that provides a variety of services including internal medicine, and pain management and rehabilitation. (agreed to a two-year CAP)

$70,000 – Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services is the largest network of mental health and substance use disorder services in the greater Boston area and eastern Massachusetts. (agreed to a one-year CAP)

$3,500 – King MD

King MD is a small health care provider of psychiatric services in Virginia. (agreed to a two-year CAP)

$10,000 – Wise Psychiatry, PC

Wise Psychiatry is a small health care provider that provides psychiatric services in Colorado. (agreed to a one-year CAP)

Four More Right of Access Cases Announced in October and November 2020

$160,000 – Dignity Health

St. Joseph’s Hospital and Medical Center (“SJHMC”), part of Dignity Health, is a large, acute care hospital with several hospital-based clinics that provide a wide range of health, social, and support services. (agreed to a two-year CAP)

$100,000 – NY Spine

NY Spine is a private medical practice specializing in neurology and pain management with offices in New York, NY, and Miami Beach, FL. (agreed to a two-year CAP)

$25,000 – Riverside Psychiatric Medical Group

Riverside Psychiatric Medical Group is a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders in Riverside, CA. (agreed to a two-year CAP)

$15,000 – Dr. Rajendra Bhayani

Dr. Rajendra Bhayani is a private practitioner specializing in otolaryngology in Regal Park, NY.(agreed to a two-year CAP)

Key Elements of Right of Access

  • Patient may choose the form and format of the records – paper or electronic and delivered by mail or email.
  • Produce the records promptly, but take no longer than 30 days unless there is a good reason for more time. If so, notify the patient that another 30 days will be needed. NOTE: if State law is stricter than HIPAA, follow the State. California, for example, requires copies to be provided within 15 days, or access to view them during business hours within five days
  • Fees, if any, should be minimal. NOTE: due to a recent lawsuit, a higher fee may be charged when a patient requests records be sent to a third party. (Ciox Health vs. Alex Azar)
  • Don’t confuse the right of access (for the individual) with a required HIPAA authorization (a third party)

A lawsuit decided in January, 2020, Ciox Health vs. Alex Azar left the Right of Access rule intact, but slightly altered how the fees are calculated when a patient requests their information be sent to a third party, and also limits a patient’s right to get an electronic copy of records if the covered entity doesn’t have an electronic copy readily available in the exact format requested.

The HIPAA E-Tool® Prevents Investigations and Fines

There is no good reason to be tripped up by the Right of Access requirement of the HIPAA Privacy Rule. When you have the policies, forms and guidance in The HIPAA E-Tool® at your fingertips, answers are easy to find, and you will know what to do.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free