Getty Images

HHS reaches HIPAA right of access settlement with Phoenix Healthcare

Phoenix Healthcare agreed to pay $35,000 and revise its HIPAA policies to resolve OCR’s 47th right of access enforcement action.

The HHS Office for Civil Rights (OCR) announced a HIPAA right of access settlement with Oklahoma-based Phoenix Healthcare, marking the office’s 47th enforcement action under the HIPAA Right of Access Initiative.

Under the terms of the settlement, Phoenix Healthcare, which operates several nursing care facilities in Oklahoma, agreed to pay a $35,000 civil money penalty and implement several corrective actions to improve its HIPAA policies.

The settlement stemmed from an April 2019 complaint to OCR, which alleged that Phoenix Healthcare had not provided a daughter, who was serving as her mother’s personal representative, with a copy of her mother’s medical records.

Following attempts by OCR to obtain the records, Phoenix Healthcare sent the records on January 30, 2020, 323 days after the initial request.

Under HIPAA right of access provisions, covered entities are required to provide patients with their medical records within 30 days, with few exceptions.

“With the increasing use of and continued advances in health information technology, individuals have ever expanding and innovative opportunities to access their health information electronically, more quickly and easily, in real time and on demand,” HHS guidance states.

“Putting individuals ‘in the driver’s seat’ with respect to their health also is a key component of health reform and the movement to a more patient-centered health care system.”

OCR initially imposed a $250,000 civil money penalty against Phoenix Healthcare for its failure to comply with HIPAA right of access provisions. However, Phoenix Healthcare sought a hearing before an Administrative Law Judge to contest the penalty. The judge directed Phoenix to pay a civil money penalty of $75,000 instead.

Phoenix appealed the judge’s determination, and Phoenix and OCR later reached a settlement in the amount of $35,000, and Phoenix agreed to not challenge the decision further.

In addition to the monetary penalty, Phoenix agreed to update its policies and procedures to reflect HIPAA right of access provisions. In addition, Phoenix was required to provide OCR with copies of its workforce training materials. If Phoenix fails to complete the actions set forth in the settlement agreement, it must pay the $75,000 civil money penalty in full.

“Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative,” said OCR Director Melanie Fontes Rainer.

“Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions. It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.” 

Next Steps

Dig Deeper on HIPAA compliance and regulation