University of Cincinnati Medical Center Fined $65,000 for HIPAA Right of Access Failure


The HHS’ Civil Rights Office has publicly acknowledged its 18th HIPAA financial penalty of the year, with the 12th fine under its HIPAA Right of Access enforcement initiative.

In 2019, OCR revealed a new drive to ensure individuals are allowed timely access to their health records, at a reasonable cost, as mandated by the HIPAA Privacy Rule. It had become obvious to OCR that healthcare providers were not always fully complying with this important HIPAA Privacy Rule provision and specific patients were having trouble obtaining a copy of their medical records.

A recent financial penalty imposed on University of Cincinnati Medical Center, LLC (UCMC) was $65,000. This was due to a patient complaint by OCR on May 30th, 2019, who had submitted a request to UCMC on February 22nd , 2019 for a copy of her personal medical records to be shared with her lawyer.

The HIPAA Rights of Access requires copies of medical records to be given – on the patients request – before a 30 day period after the request. 45 C.F.R. § 164.524 also says these requested records can be sent to a third party if the patient so wishes.

The complaint referred to above was submitted with OCR over 13 weeks prior to the patients request – OCR then got involved and UCMC eventually shared the records with her lawyer on August 7th, 2019, more then 5 months after the requests were submitted.

Before investigating this complaint, OCR decided that UCMC had failed to uphold violations and a financial penalty was deemed applicable.

Along with the financial penalty, UCMC was required to begin a corrective process in which they begin a rock solid compliance with these violations , to be reviewed by OCR and implemented within 30 days of OCR’s approval.

The policies must be distributed to all members of the workforce and appropriate business associates and the policies must be reviewed and updated, as necessary, at least annually. Training materials must also be created and supplied to OCR for approval, and training provided to appropriate members of the workforce on the new policies.

Roger Severino, OCR Director, commented on the fine saying: “OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records”.