Historically, the government agency in charge of enforcing the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule, the HHS Office of Civil Rights (OCR), has focused on unlawful collection, use, and disclosure, and provider efforts to keep protected health information (PHI) private and secure. But in April 2019, the OCR announced a new enforcement initiative focusing on the rule’s right of access provisions. Less than six months later, the agency handed down its first ever fine to a provider for failing to comply with its right of access obligations. By January 2021, total right of access fines reached 14.
Change in administration hasn’t resulted in change of enforcement policy. The Biden administration OCR has now issued 13 right of access fines, including a whopping $160,000 penalty, tied for the second biggest under the initiative. The momentum continues with two more right of access fines issued in March, bringing the total to 27.
The Moral: Remember that you have 30 calendar days to take action upon receiving an access request. If that’s not enough, you can get an extension of another 30 calendar days as long as you provide the requestor a written statement listing the reasons for the delay and the date by which you’ll complete your action in processing the request.