OCR Ramps Up HIPAA Right of Access Initiative With Two New Settlements

The Office for Civil Rights at the U.S. Department of Health and Human Services (OCR) is cracking down on HIPAA-covered entities that fail to respond to patients’ requests for access to their medical records. And hospitals, physician groups and other medical providers should take note.

The HIPAA Privacy Rule gives patients a right to their health records.

The HIPAA Privacy Rule generally requires that covered entities (health plans and most health care providers) provide individuals, upon request, with access to their protected health information in one or more “designated record sets” maintained by or for the covered entity. A “designated record set” includes, among other records, medical records and billing records about individuals maintained by or for a covered health care provider.

The regulations under HIPAA have always recognized the importance of giving individuals the ability to access and obtain a copy of their health information. With limited exceptions, the HIPAA Privacy Rule provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.

The OCR recently levied a $75,000 fine for one alleged Privacy Rule violation.

On Feb. 10, the OCR advised that it had settled its 15th enforcement action in its HIPAA Right of Access Initiative. The program aims to support individuals’ rights to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. As part of this settlement, Renown Health, P.C., a private, not-for-profit health system in Reno, Nevada, agreed to take corrective actions and pay a $75,000 fine to settle a potential violation of the HIPAA Privacy Rules right of access standard. The significance of this settlement is that this hefty fine appears to be tied to a single alleged violation. The press release issued about this settlement noted, “In February 2019, OCR received a complaint alleging that Renown Health failed to timely respond to a patient’s request that an electronic copy of her protected health information, including billing records, be sent to a third party. OCR’s investigation determined that Renown Health’s failure to provide timely access to the requested records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, Renown Health provided access to all of the requested records.”

On top of the $75,000 settlement, Renown Health was required to undertake a corrective action plan that includes two years of monitoring.

Two days later, another settlement involved a similar fine and lengthy corrective action plan.

On Feb. 12, the OCR announced its 16th settlement of an enforcement action in its HIPAA Right of Access Initiative. Sharp HealthCare agreed to take corrective actions and pay a $70,000 fine to settle a potential violation of the HIPAA Privacy Rules right of access standard. Sharp is located in California and provides health care through four acute-care hospitals, three specialty hospitals, three affiliated medical groups and a health plan. 

The settlement and corrective action plan is a result of a complaint filed with the OCR in June 2019. It claimed that Sharp failed to take timely action in response to a patient’s records access request directing that an electronic copy of protected health information in an electronic health record be sent to a third party. The OCR provided Sharp with technical assistance on its alleged failure to provide access to the records and requested that Sharp respond to the patient’s request. In August 2019, the OCR received a second complaint from the same patient alleging that Sharp still had not responded to the patient’s records access request. The OCR investigated the matter and Sharp provided access to the requested records. 

In addition to the $70,000 settlement Sharp paid to the government, Sharp will undertake a corrective action plan that includes two years of monitoring.

What do these settlements mean for health care providers?

It is clear from these latest settlements that the OCR is taking very seriously patients’ rights to have access to their medical records in a timely manner. While Renown and Sharp represent health care systems, smaller physician practices are not immune from enforcement actions. The OCR has pursued patient right of access settlements and corrective action plans against many physician practices. The OCR’s Right of Access Enforcement Initiative is sending a strong message to all providers, from large health systems down to smaller physician groups, that giving patients access to their medical records is paramount under the HIPAA Privacy Rule, and that failure to comply with this requirement will result in hefty fines and onerous corrective action plans.

All health care providers should ensure that they have appropriate polices and procedures in place to provide individuals with timely access to their information as required by the HIPAA Privacy Rule. Please contact Jeff Moore or any member of Phelps’ Health Care team if you have questions or need compliance advice and guidance.