HHS Imposes 5 Financial Penalties for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the closure of five investigations into potential violations of the Health Insurance Portability and Accountability Act (HIPAA), all of which have resulted in financial penalties.

The enforcement actions are part of OCR’s HIPAA Right of Access enforcement initiative, which was launched in late 2019. The HIPAA Right of Access gives individuals the right to obtain a copy of their medical records held by a HIPAA-regulated entity. When a request is made in writing, except in limited circumstances, the requested records must be provided. HIPAA-regulated entities must provide the requested records within 30 days, although in very limited circumstances an additional 30 days may be allowed to provide the records.

Individuals obtaining a copy of their records can check them for errors and can request errors be corrected. By obtaining a copy of their records they are free to share them with other healthcare providers, family members, or provide them to medical research organizations. Having a copy of medical records also ensures that in the event of a ransomware attack or IT failure, the information stored in medical records will not be permanently lost.

All five investigations were launched after OCR received complaints from patients who had been denied copies of their records or had not been provided with timely access to their medical records. Since 2019, when the enforcement initiative was launched, there have been 25 financial penalties imposed for HIPAA Right of Access violations.

Four of the latest 5 investigations were settled with OCR with no admission of liability, with the covered entity agreeing to implement a corrective action plan that requires HIPAA Right of Access policies and procedures to be implemented/updated, and for training to be provided to the workforce on the new policies. OCR said one covered entity did not cooperate with OCR’s investigation and waived the right to a hearing, which resulted in a civil monetary penalty being imposed.

HIPAA-Regulated Entity State Penalty Type Amount
Advanced Spine & Pain Management Ohio Settlement $132,150
Denver Retina Center Colorado Settlement $30,000
Rainrock Treatment Center (Monte Nido Rainrock) Oregon Settlement $160,000
Wake Health Medical Group North Carolina Settlement $10,000
Dr. Robert Glaser New York Civil Monetary Penalty $100,000

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news