HIPAA Right of Access Violations Results in Fines for Five Entities

Five financial penalties related to HIPAA Right of Access breaches have been sanctioned by the HHS’ Office for Civil Rights (OCR), in line with its current focus on heightened compliance enforcement.

This current campaign began in the second half of 2019 following a spike in reports from patients that were not given adequate access to their PHI as per the HIPAA Privacy Rule. When a request is submitted the HIPAA entity has 30 days to process it. In some cases an extension of 30 days may be allowed depending on the circumstances. It is also allowable to charge patients for this but it must be a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and sending the PHI after it has been located.

There have been no fines issued in relation to charging excessive amounts to date. The only HIPAA fines have been sanctioned for failing to supply a copy of the requested records or for unnecessary delays. 

The most recent announcement by OCR means that there have now been 25 HIPAA Right of Access enforcement actions since the enforcement initiative was established in 2019.

In the five cases outlined here, OCR found that the healthcare providers were in breach of 45 C.F.R. § 164.524 and had not provided timely access to PHI about the individual after the submission of an official request.

  1. Denver Retina Center: A Denver, CO-based ophthalmological services clinic, settled its review with OCR and handed over a $30,000 HIPAA fine and will be on probation for compliance with its corrective action plan for one year. A patient claimed she had requested her records in December 2018 but was not given a copy of these until July 26, 2019. OCR had made technical assistance available to the healthcare provider following receipt of a previous HIPAA Right of Access complaint from the same individual and closed the case. When proof was received of continued non-compliance the case was revisited. OCR ruled that, along with the delay, Denver Retina Center’s access policies and procedures were not in line with the HIPAA Privacy Rule, as required by 45 C.F.R. § 164.530(i).
  2. Advanced Spine & Pain Management: Chronic pain-related clinic located in Cincinnati and Springboro, OH, agreed to settle OCR’s review and handed over a $32,150 financial penalty and will be observed by OCR for compliance with its corrective action plan for two years. The investigation took place as a result of a complaint being submitted by a patient who asked for his medical records on November 25, 2019, but was not given these records until March 19, 2020.
  3. Wake Health Medical Group: Raleigh, NC-based primary care health care service provider, settled OCR’s investigation and handed over a $10,000 HIPAA fine and has agreed to take corrective action to mitigate additional HIPAA Right of Access breaches. OCR had registered a complaint from a patient who requested a copy of her medical records on June 27, 2019 and paid a $25 flat fee, which is the standard fee charged by Wake Health Medical Group for supplying duplicates of medical records. As of the date of the settlement, the patient has still not been supplied with the requested records.
  4. Dr. Robert Glaser: New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, did not assist OCR during the breach investigation, although did not refute the results of said investigation and waived his right to a hearing. A civil monetary penalty of $100,000 was sanctioned by OCR. A review was initiated after receipt of a complaint from a former patient who claimed he had made a number of written and verbal requests for a copy of his medical records between 2013 and 2014. The complaint was submitted to OCR on November 9, 2017, and the case was closed by OCR on December 15, 2017, after asking Dr. Glaser to review the complaint and hand over the requested records if the requests were in line with the HIPAA Right of Access. The patient submitted an additional complaint with OCR on March 20, 2018, and supplied proof of more written requests. OCR tried to contact Dr. Glaser on many occasions by letter and phone, but he repeatedly failed to reply, hence the decision to impose a civil fine.
  5. Rainrock Treatment Center LLC (dba Monte Nido Rainrock): Eugene, OR-located residential eating disorder treatment services centre settled OCR’s investigation and handed over a $160,000 fine and on probation in relation to a compliance with the corrective action plan for one year. OCR had registered three separate complaints from a patient who had not been  supplied with a copy of her medical records. The patient had asked for a copy of her records on October 1, 2019, and November 21, 2019, and did not receive the requested records until May 22, 2020.

OCR Director Lisa J. Pino said: “Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”