WANAN YOSSINGKUM/istock via Gett

Top HIPAA Right of Access Cases in 2021, So Far

As HIPAA turns 25, HHS’ Office of Civil Rights has been cracking down on HIPAA right of access enforcement to ensure individuals’ timely access to health records.

HIPAA right of access policies have evolved over the years with the goal of protecting patient privacy while ensuring that all individuals have equitable and timely access to health records.

Recent proposed changes to the HIPAA Privacy Rule aim to reduce administrative burden and bolster care coordination by allowing individuals to transmit certain protected health information (PHI) to any third party in an electronic format. The changes have been met with some controversy, as some experts believe the new rule makes patient records ripe for manipulation and data sharing cybersecurity issues.

As HIPAA turns 25 this year, HealthITSecurity rounded up the most important cases settled by HHS’ Office of Civil Rights (OCR) through its HIPAA Right of Access Initiative, which began in 2019.

BANNER HEALTH PAYS $200K TO SETTLE ACCESS VIOLATIONS

The first case of the year involved Arizona-based healthcare system Banner Health, which reached a settlement with OCR to resolve potential violations of the HIPAA Privacy Rule’s right of access standard.

Banner Health agreed to pay a $200,000 civil monetary penalty and form a corrective action plan to settle the allegations, according to an OCR press release. OCR received two formal complaints against Banner Health. The first involved a patient who allegedly requested her medical records in December 2017 but did not receive them until May 2018.

The second complaint alleged that a patient requested an electronic copy of his records in September 2019 but did not receive them until February 2020.

"This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records," Roger Severino, former OCR director, stated in the press release.

RENOWN HEALTH SETTLES PATIENT RIGHT OF ACCESS VIOLATION ALLEGATIONS FOR $75K

In its fifteenth settlement to date and second of 2021, OCR announced that Nevada-based nonprofit health system Renown Health agreed to pay $75,000 and take corrective actions to resolve a potential violation of the HIPAA right of access standard.

OCR received a complaint in February 2019 from a patient claiming that Renown Health failed to respond to her request for records in a timely manner. The patient requested that an electronic copy of her PHI be sent to a third party but did not receive the records until months later.

“Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis,” Robinsue Frohboese, acting director of OCR, stated in the announcement.

Under Renown Health’s corrective action policy, the health system was required to develop and maintain written access policies and train its workforce to comply with records requests.

SHARP HEALTHCARE PAYS $70,000 FOR FAILING TO SEND EHR RECORDS TO THIRD PARTY

Two days after the Renown Health settlement was announced, OCR settled its sixteenth case under the HIPAA Right of Access Initiative. California-based Sharp Healthcare, also known as Sharp Rees-Stealy Medical Centers (SRMC), agreed to pay $70,000 and take corrective actions to resolve allegations.

SRMC allegedly failed to send a patient’s EHR records to a third party in a timely manner in June 2019. In August 2019, OCR received a second complaint alleging that SRMC still had not responded to the request. SRMC completed the patient’s request as a result of OCR’s investigation.

"Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right," Frohboese maintained in the announcement.

SRMC delivers care through three specialty hospitals, three affiliated medical groups, four acute-care hospitals, and a health plan. In addition to paying $70,000, the provider agreed to develop a corrective action plan that included two years of monitoring.

MASS. HOSPITAL FAILS TO PROVIDE TIMELY ACCESS TO PATIENT RECORDS

Arbour Hospital in Massachusetts was the subject of OCR’s seventeenth settlement under its Right of Access Initiative. The behavioral health provider paid $65,000 to resolve potential violations to right of access policies.

OCR received a complaint alleging that a patient’s request for records in May 2019 remained unfulfilled as of July 2019. The same patient filed a second complaint later in July stating that they had still not received the requested records.

The HIPAA right of access standard requires an entity to act on a records request within 30 days of receipt. The patient received their records in November 2019, five months after the initial request.

"Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care," Frohboese, reiterated in the announcement.

NJ PLASTIC SURGERY PROVIDER SETTLES FOR $30,000

In March, OCR announced its eighteenth settlement involving potential HIPAA right of access violations. New Jersey-based Village Plastic Surgery (VPS) settled for $30,000 and agreed to a corrective action plan.

A patient filed a complaint with OCR in September 2019 alleging that VPS did not respond to their August 2019 request for medical records. The patient received the requested records after OCR’s investigation.

“OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner," Frohboese explained in the announcement. 

“Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”

DIABETES, ENDOCRINOLOGY & LIPIDOLOGY CENTER SETTLES RIGHT OF ACCESS VIOLATIONS

OCR announced its most recent settlement in early June, involving West Virginia-based Diabetes, Endocrinology & Lipidology Center (DELC). The provider paid $5,000 to settle the potential violation and agreed to take corrective actions.

A parent filed a complaint in August 2019 alleging that DELC did not respond to her request for a copy of her child’s PHI. The investigation determined a potential right of access violation, and DELC provided the requested records in May 2021, almost two years after the initial request.

“It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records,” Frohboese remarked. 

“Covered entities owe it to their patients to provide timely access to medical records.”

Dig Deeper on HIPAA compliance and regulation