Natali_Mis/istock via Getty Imag

Arbour Hospital Pays OCR $65K Over HIPAA Right of Access Violation

The $65,000 settlement with Arbour Hospital is the seventeenth made by OCR under its HIPAA Right of Access Initiative, an agency compliance priority.

The Department of Health and Human Services announced it reached a $65,000 settlement with Massachusetts-based Arbour Hospital, which resolved potential violations of the HIPAA right of access standard. 

It’s the seventeenth enforcement action taken under the OCR’s Right of Access Initiative. Launched in 2019 as an agency enforcement priorit, the effort is designed to support the right of patients to access their medical records in a timely fashion and in a desired format.

HIPAA requires covered entities and relevant business associates to provide patients with timely access to their protected health information within a designated record set, with few exceptions. Providers must send requested records within 30 days, or within 60 days if an extension is applicable.

For Arbour Hospital, the enforcement action stems from a patient complaint filed with OCR in July 2019. The patient alleged that he requested records from the hospital beginning on May 7, 2019 and had yet to receive them at the time of the complaint, nearly two months later.

OCR responded by providing Arbour Hospital with technical assistance on right of access requirements. But several weeks later, the patient again notified OCR that he still had not received his requested records.

HHS launched an investigation into the incident and found the patient sent Arbour Hospital a signed, written request for his medical records and that the hospital failed to respond to the request in a timely manner.

As a direct result of the investigation, the patient received the requested records on November 1, 2019, more than five months after his initial request.

"Healthcare providers have a duty to provide their patients with timely access to their own health records,” Acting OCR Director Robinsue Frohboese, said in a statement.

“OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care,” she added.

In addition to the $65,000 civil monetary penalty, Arbour Hospital has agreed to adhere to a corrective action plan that includes two years of monitoring from OCR.

The hospital is required to develop and maintain written access policies and procedures to address the right of access requirements to comply with the HIPAA Privacy Rule that governs PHI.

At a minimum, the policies must include protocols for training all hospital staff and business associates involved with receiving or fulfilling access requests to ensure compliance with the policies and procedures. Training must occur within 60 days of HHS approval.

Arbour Hospital will also need to develop a process for reviewing business associate performance in regards to access requests, as well as terminating business associate relationships that fail to meet the hospital's right of access policies. 

The hospital will also need to assign a leader to be responsible for reviewing and maintaining business associate agreements, specifically as it pertains to access responsibilities.

Despite HIPAA’s right of access rule, many providers fail to fully comply. An OCR audit recently found 89 percent of providers failed to comply with right of access requirements.

To further its prioritization, OCR has made right of access compliance a key priority. In the last six months alone, the agency has applied enforcement actions against eight separate providers for potential access violations, including a $160,000 settlement with Dignity Health.

HHS has also proposed changing the HIPAA rule to further enhance patient access rights.

Next Steps

Dig Deeper on HIPAA compliance and regulation