More Stringent Application of HIPAA Right of Access Rules by OCR Results in $200,000 Penalty

There is further evidence of the increasingly stringent application of the HIPAA Right of Access Rules by the HHS’ Office for Civil Rights (OCR) on healthcare providers that are not providing patients with timely access to their medical records following the announcement that a settlement had been reached with Banner Health to bring a HIPAA Right of Access investigation to a conclusion for $200,000.

Under the HIPAA Privacy Rule individuals are permitted to access, inspect, and obtain a copy of their own protected health information. Following the submission of an access request, HIPAA-covered entities must hand over a copy of the requested records in 30 days or less.

Previously in 2020, OCR revealed that it would be tightening the application of the rules in relation to non-compliance with this important provision of HIPAA. Due to this, 14 fines have been sanctioned on HIPAA covered entities that have failed in their duty to provide patients with access to their medical records inside this time period.

Phoenix, AZ-based Banner Health is one of the biggest healthcare systems operating in the United States. The non-profit health group manages 30 hospitals and many primary care, urgent care, and specialty care clinics.

Two separate HIPAA compliance complaints were submitted to the OCR from patients of Banner Health affiliated covered entities claiming that they experience long delays receiving copies of medical records. The first patient filed a request with Banner Estrella Medical Center in December 2017 and was not handed the requested records until May 2018. A second complaint was submitted alleging a separate patient had to wait five months for a digital copy of his records. The request was filed with Banner Gateway Medical Center in September 2019 and he did not receive the records until February 2020.

The $200,000 financial penalty is the highest amount for a HIPAA fine sanctioned on a HIPAA-covered entity by OCR under its HIPAA Right of Access enforcement initiative. Along with paying the financial penalty, Banner Health has agreed to implement a range of corrective measures that include reviewing and revising written policies on health record access, implementing those policies, and training staff on the new policies.  OCR will monitor Banner Health for two years to ensure compliance with the corrective action plan.

OCR Director Roger Severino said: “This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records”.

Author: Maria Perez