Natali_Mis/istock via Getty Imag

Banner Health to Pay OCR $200K for HIPAA Right of Access Failures

One of the largest US health systems, Banner Health, reached a $200,000 settlement with OCR to resolve two separate patient complaints that alleged right of access failures.

The Department of Health and Human Services Office for Civil Rights reached a $200,000 civil monetary penalty and a corrective action plan with Banner Health, to resolve potential violations of the HIPAA Privacy Rule Right of Access standard.

The Arizona-based healthcare system is one of the largest in the US, with more than 30 hospitals and a range of primary care, urgent care, and specialty facilities. The settlement covers more than 74 covered entities included under the Banner Health umbrella.

Announced as an enforcement priority in 2019, the OCR RIght of Access Initiative is designed to support the right of patients to access their medical records in a requested format and in a timely fashion, for a reasonable fee. While required under HIPAA, data shows many providers fail to meet the privacy rule requirements.

Notably, HHS recently proposed making changes to HIPAA to better support interoperability and meet patient right of access needs.

The Banner settlement is the fourteenth enforcement penalty announced under the initiative and the first of 2021. It's also the largest OCR enforcement penalty levied against a covered entity for possible Right of Access violations.

"This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records," said OCR Director Roger Severino, in a statement.

The enforcement action stems from two patient complaints filed against Banner Health.

The first complaint was filed on August 17, 2018 by the patient’s attorney, which alleged the individual requested access to her medical records in December 2017 but didn’t receive the information until five months later in May 2018.

On January 3, 2020 OCR received a separate complaint against Banner Health from a law firm employee, on behalf of a client. The second individual claimed that the patient requested an electronic copy of his medical records from the Banner Gateway Medical Center on July 15, 2019 and again in September 2019.

According to the report, the requested medical records were not sent to the second patient until February 2020 -- more than six months after the initial requests.

OCR notified Banner Health on both February 5, 2019 and March 23, 2020 that it would be investigating the health system’s compliance with the HIPAA rules. The audit found Banner failed to provide these patients with timely access to their protected health information.

However, the corrective action plan noted that in signing the settlement with OCR, Banner Health is not admitting liability.

Under the CAP, Banner Health will pay the $200,000 settlement and submit to two years of monitoring by OCR.

Banner Health is required to review and revise its written policies and procedures and other written communications regarding its provisions for access to medical records, including patient access requests.

The review must ensure the policies are comprehensive and accurate for responses to records’ requests, as well as improving the training protocols for all Banner Health workforce members tasked with fulfilling patient records requests to ensure compliance with the HIPAA rule.

The training protocols must be reviewed annually and updated to reflect changes in federal law or HHS guidance.

It’s been a costly year for Banner Health, as it also reached an $8.9 million settlement in April 2020 with the more than 3.7 million patients, members, and beneficiaries impacted from a June 2016 data breach.

Under that settlement, the health system was required to make significant improvements to its information security program.

Next Steps

Dig Deeper on HIPAA compliance and regulation