ekg chart

HIPAA Enforcement is Alive and Well – Patient Right of Access

Updated January 12, 2020

Patients have the right to see their own medical records. This simple concept is a HIPAA requirement and is easy to comply with. Yet many healthcare providers misunderstand it and create roadblocks or unnecessary delays. A better idea would be to understand the rule and make sure to comply – and avoid investigations and fines.

Right of Access Initiative – Fourteen Settlements so Far

The Office for Civil Rights (OCR), the agency that enforces HIPAA, has long considered the patient right of access a priority, and has settled a total of fourteen investigations under its Right of Access Initiative.

In September OCR announced resolution agreements with five healthcare providers that failed to provide access as HIPAA requires. The fines for the five settlements range from $3,500 to $70,000

A little over a year ago, in September, 2019 OCR announced its first enforcement action and settlement in its Right of Access Initiative. OCR settled a second right of access investigation in December, 2019 with Korunda Medical, LLC, which paid $85,000.

OCR announced the Initiative in 2019 as an enforcement priority to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. The five settlements announced on September 15, 2020 bring OCR’s total to seven completed enforcement actions under the Right of Access Initiative through September 2020.

OCR announced four more Right of Access investigation settlements in October and November: on October 7, October 9, November 6, and November 12, 2020, bringing the total number of cases to eleven as of November 12. With three more settlements announced between November and January, the total number of cases is fourteen.

But long before, OCR has cautioned that obstacles to patients receiving access were HIPAA violations. In 2016 for example, OCR warned that requiring someone to execute an “authorization” in order to obtain access to their own records may create an impermissible obstacle under HIPAA. Learn about the difference between authorization and access here.

Five Recent Cases Enforcing Right of Access

In addition to the fines, each of the covered entities agreed to adopt a corrective action plan (CAP) to improve HIPAA compliance.

Behavioral Health, Nonprofits and Small Providers are not Immune to Enforcement

Several things stand out about these five cases. Three of them provide behavioral health services and two of them are quite small. The smaller organizations paid smaller fines, but they were still investigated, and must implement “corrective actions” to improve compliance and be monitored by OCR going forward, like the other three. Another factor is that each of the investigations could have been resolved earlier without fines, but the patterns were the same – they did not take the investigation seriously or act quickly enough. Policies were absent, or weren’t being followed.

The message is clear, whether small or large, for profit or not for profit, all covered entities are expected to take HIPAA seriously, know the rules, and follow through.

$38,000 – Housing Works, Inc. 

This non-profit organization provides healthcare, homeless services, job training and advocacy and legal aid support for people living with and affected by HIV/AIDS in New York city. (agreed to a one-year CAP)

$15,000 – All Inclusive Medical Services, Inc.

AIMS, based in Carmichael, California, is a multi-specialty family medicine clinic that provides a variety of services including internal medicine, and pain management and rehabilitation. (agreed to a two-year CAP)

$70,000 – Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services is the largest network of mental health and substance use disorder services in the greater Boston area and eastern Massachusetts. (agreed to a one-year CAP)

$3,500 – King MD

King MD is a small health care provider of psychiatric services in Virginia. (agreed to a two-year CAP)

$10,000 – Wise Psychiatry, PC

Wise Psychiatry is a small health care provider that provides psychiatric services in Colorado. (agreed to a one-year CAP)

Seven More Right of Access Cases Announced from October 2020 through January 2021

$160,000 – Dignity Health

St. Joseph’s Hospital and Medical Center (“SJHMC”), part of Dignity Health, is a large, acute care hospital with several hospital-based clinics that provide a wide range of health, social, and support services. (agreed to a two-year CAP)

$100,000 – NY Spine

NY Spine is a private medical practice specializing in neurology and pain management with offices in New York, NY, and Miami Beach, FL. (agreed to a two-year CAP)

$25,000 – Riverside Psychiatric Medical Group

Riverside Psychiatric Medical Group is a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders in Riverside, CA. (agreed to a two-year CAP)

$15,000 – Dr. Rajendra Bhayani

Dr. Rajendra Bhayani is a private practitioner specializing in otolaryngology in Regal Park, NY. (agreed to a two-year CAP)

$65,000 – University of Cincinnati Medical Center

The UCMC is an academic medical center providing healthcare services to the Greater Cincinnati community (agreed to a two-year CAP)

$36,000 – Peter Wrobel, M.D., P.C., dba Elite Primary Care

Elite Primary Care in Waycross GA is a small practice specializing in Family Medicine, Pediatrics, Vascular Surgery and General Medicine. Peter Wrobel is one of the three physicians in the practice. (agreed to a two-year CAP)

$200,000 – Banner Health

Banner Health, a non-profit organization, is one of the largest health care systems in the United States and is based in Phoenix. It operates 30 hospitals and numerous primary care, urgent care, and specialty care facilities. (agreed to a two-year CAP)

Key Elements of Right of Access

  • Patient may choose the form and format of the records – paper or electronic and delivered by mail or email.
  • Produce the records promptly, but take no longer than 30 days unless there is a good reason for more time. If so, notify the patient that another 30 days will be needed. NOTE: if State law is stricter than HIPAA, follow the State. California, for example, requires copies to be provided within 15 days, or access to view them during business hours within five days
  • Fees, if any, should be minimal. NOTE: due to a recent lawsuit, a higher fee may be charged when a patient requests records be sent to a third party. (Ciox Health vs. Alex Azar)
  • Don’t confuse the right of access (for the individual) with a required HIPAA authorization (a third party)

A lawsuit decided in January, 2020, Ciox Health vs. Alex Azar left the Right of Access rule intact, but slightly altered how the fees are calculated when a patient requests their information be sent to a third party, and also limits a patient’s right to get an electronic copy of records if the covered entity doesn’t have an electronic copy readily available in the exact format requested.

The HIPAA E-Tool® Prevents Investigations and Fines

There is no good reason to be tripped up by the Right of Access requirement of the HIPAA Privacy Rule. When you have the policies, forms and guidance in The HIPAA E-Tool® at your fingertips, answers are easy to find, and you will know what to do.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free