HIPAA Right of Access Case Involving Massachusetts Mental Health Clinic Settled for $65,000

Following a HIPAA Right of Action investigation by the HHS’ Office for Civil Rights (OCR), Arbour Hospital, a mental health clinic in Boston, MA, has agreed to pay a $65,000 HIPAA fine.

OCR was made aware of a possible breach of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital claimed he had asked for a copy of his medical records from the hospital on May 7, 2019 but had not been given with those records inside two months.

The HIPAA Right of Access enforcement initiative was launched by OCR in late 2019 to make sure that patients are given timely access to their medical records for a reasonable cost. This is the 17th financial penalty to be paid to OCR to settle HIPAA Right of Access breaches under this enforcement initiative and the 4th HIPAA Right of Access settlement to be revealed in 2021.

When a healthcare organization is sent a request from a patient who would like to exercise their HIPAA Privacy Rule right to obtain a copy of their healthcare records, a copy of those records must be made available as quickly as possible and no later than 30 days after the request is received. A 30-day extension can be granted in cases where records are held at an offsite location or are otherwise not easily accessible. In such instances, the patient asking for the records must be told about the extension in writing within 30 days and be given the reason for the delay.

OCR got in touch with Arbour Hospital and supplied technical assistance on the HIPAA Right of Access on July 22, 2019 and the complaint was closed. The patient then filed another complaint to OCR on July 28, 2019 when his medical records had still not been made available. The records were finally provided to the patient on November 1, 2019, almost six months after the written request was first registered and more than three months after OCR provided technical assistance on the HIPAA Right of Access.

OCR ruled that the failure to respond to a written, signed medical record request from a patient in a timely fashion was in breach of the HIPAA Right of Access – 45 C.F.R. § 164.524(b). Along with the fine, Arbour Hospital must implement a corrective action plan that includes implementing policies and procedures for patient record access and providing training to the workforce. Arbour Hospital will also be closely monitored by OCR for compliance for 12 months.

Acting OCR Director Robinsue Frohboese said: “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.”

Author: Maria Perez