ekg chart

HIPAA Enforcement is Alive and Well – Patient Right of Access

Updated March 30, 2022

Patients have the right to see their own medical records. This simple concept is a HIPAA requirement and is easy to comply with. Yet many healthcare providers misunderstand it and create roadblocks or unnecessary delays. A better idea would be to understand the rule and make sure to comply – and avoid investigations and fines.

The Office for Civil Rights (OCR), the agency that enforces HIPAA, has long considered the patient right of access a priority, and has settled a total of twenty investigations under its 2019 Right of Access Initiative.

OCR announced the Initiative in 2019 as an enforcement priority to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.

  • In September, 2019 OCR announced its first enforcement action and settlement in its Right of Access Initiative. OCR settled a second right of access investigation in December, 2019 with Korunda Medical, LLC, which paid $85,000;
  • During 2020, there were eleven Right of Access investigation settlements;
  • A total of seven more settlements through September, 2021,
  • Seven more enforcement action settlements between September, 2021 and March 28, 2022.

bringing the total number of cases, as of March 28, 2022, to twenty-seven (27).

But long before this 2019 Right of Access Initiative, OCR has cautioned that obstacles to patients receiving access were HIPAA violations. In 2016 for example, OCR warned that requiring someone to execute an “authorization” in order to obtain access to their own records may create an impermissible obstacle under HIPAA. Learn about the difference between authorization and access here.

In addition to the fines, each of the covered entities agreed to adopt a corrective action plan (CAP) to improve HIPAA compliance.

Right of Access Initiative – Eleven Settlements During 2020

Behavioral Health, Nonprofits and Small Providers are not Immune to Enforcement

Several things stand out about the following five cases. Three of them provide behavioral health services and two of them are quite small. The smaller organizations paid smaller fines, but they were still investigated, and must implement “corrective actions” to improve compliance and be monitored by OCR going forward, like the other three. Another factor is that each of the investigations could have been resolved earlier without fines, but the patterns were the same – they did not take the investigation seriously or act quickly enough. Policies were absent, or weren’t being followed.

The message is clear, whether small or large, for profit or not for profit, all covered entities are expected to take HIPAA seriously, know the rules, and follow through.

$38,000 – Housing Works, Inc. 

This non-profit organization provides healthcare, homeless services, job training and advocacy and legal aid support for people living with and affected by HIV/AIDS in New York city. (agreed to a one-year CAP)

$15,000 – All Inclusive Medical Services, Inc.

AIMS, based in Carmichael, California, is a multi-specialty family medicine clinic that provides a variety of services including internal medicine, and pain management and rehabilitation. (agreed to a two-year CAP)

$70,000 – Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services is the largest network of mental health and substance use disorder services in the greater Boston area and eastern Massachusetts. (agreed to a one-year CAP)

$3,500 – King MD

King MD is a small health care provider of psychiatric services in Virginia. (agreed to a two-year CAP)

$10,000 – Wise Psychiatry, PC

Wise Psychiatry is a small health care provider that provides psychiatric services in Colorado. (agreed to a one-year CAP)

Six More Right of Access Cases Announced from October through December 2020

$160,000 – Dignity Health

St. Joseph’s Hospital and Medical Center (“SJHMC”), part of Dignity Health, is a large, acute care hospital with several hospital-based clinics that provide a wide range of health, social, and support services. (agreed to a two-year CAP)

$100,000 – NY Spine

NY Spine is a private medical practice specializing in neurology and pain management with offices in New York, NY, and Miami Beach, FL. (agreed to a two-year CAP)

$25,000 – Riverside Psychiatric Medical Group

Riverside Psychiatric Medical Group is a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders in Riverside, CA. (agreed to a two-year CAP)

$15,000 – Dr. Rajendra Bhayani

Dr. Rajendra Bhayani is a private practitioner specializing in otolaryngology in Regal Park, NY. (agreed to a two-year CAP)

$65,000 – University of Cincinnati Medical Center

The UCMC is an academic medical center providing healthcare services to the Greater Cincinnati community (agreed to a two-year CAP)

$36,000 – Peter Wrobel, M.D., P.C., dba Elite Primary Care

Elite Primary Care in Waycross GA is a small practice specializing in Family Medicine, Pediatrics, Vascular Surgery and General Medicine. Peter Wrobel is one of the three physicians in the practice. (agreed to a two-year CAP)

For the 2021 update on more Right of Access settlements, see HIPAA Enforcement in 2021.

Key Elements of Right of Access

  • Patient may choose the form and format of the records – paper or electronic and delivered by mail or email.
  • Produce the records promptly, but take no longer than 30 days unless there is a good reason for more time. If so, notify the patient that another 30 days will be needed. NOTE: if State law is stricter than HIPAA, follow the State. California, for example, requires copies to be provided within 15 days, or access to view them during business hours within five days
  • Fees, if any, should be minimal. NOTE: due to a recent lawsuit, a higher fee may be charged when a patient requests records be sent to a third party. (Ciox Health vs. Alex Azar)
  • Don’t confuse the right of access (for the individual) with a required HIPAA authorization (a third party)

A lawsuit decided in January, 2020, Ciox Health vs. Alex Azar left the Right of Access rule intact, but slightly altered how the fees are calculated when a patient requests their information be sent to a third party, and also limits a patient’s right to get an electronic copy of records if the covered entity doesn’t have an electronic copy readily available in the exact format requested.

The HIPAA E-Tool® Prevents Investigations and Fines

There is no good reason to be tripped up by the Right of Access requirement of the HIPAA Privacy Rule. When you have the policies, forms and guidance in The HIPAA E-Tool® at your fingertips, answers are easy to find, and you will know what to do.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU