 Home 5 Articles 5 OCR Cracks Down on Right of Access Foot Dragging

OCR Cracks Down on Right of Access Foot Dragging

by Glenn S. Demby | Apr 21, 2022 | Articles, Enforcement-nir, Essential, National Lab Reporter

Thanks to recent federal enforcement initiatives, prompt response to patient PHI requests should be a growing priority for HIPAA compliance.

Health care office worker organizing files in a file cabinet

Prompt response to patient requests for access to their lab test and other personal medical records is hardly a new obligation. But thanks to recent federal enforcement initiatives, it has—or at least should be—a growing priority for HIPAA compliance.

The HIPAA Privacy Rule Requirements

Under the HIPAA Privacy Rule, labs and other covered entities must act on an individual’s request for access to their protected health information (PHI) within 30 calendar days of receiving the request. If 30 days isn’t enough, the lab can get an additional 30 calendar days as long as it provides the requestor a written statement listing the reasons for the delay and the date by which it will complete its action in processing the request. These timelines apply even if the PHI that the individual requests is maintained not by the lab but a business associate on the lab’s behalf, in which case the initial 30-day deadline clock starts ticking on the date the lab receives the request rather than the date on which it forwards the request to the business associate. Nor does the lab get an extension for negotiating with the individual on the scope or format of the request. In other words, the clock still begins on the date of receipt, rather than the date negotiations end.

The HIPAA Right of Access Initiative

Historically, the agency in charge of enforcing the HIPAA Privacy Rule, the HHS Office of Civil Rights (OCR), has focused on unlawful collection, use, and disclosure and provider efforts to keep PHI private and secure. But in April 2019, the agency announced a new enforcement initiative focusing on the rule’s right of access provisions. Less than six months later, the OCR handed down its first ever fine to a provider for failing to comply with its right of access obligations. By January 2021, total right of access fines reached 14. Change in administration hasn’t resulted in change of enforcement policy. The Biden administration OCR has now issued 13 right of access fines, including a whopping $160,000 penalty, tied for the second biggest, under the initiative. The momentum continues with two more right of access fines issued in March, bringing the total to 27. Here’s a Scorecard of all announced settlements to date.

OCR Right of Access Initiative Settlements Scorecard (as of April 8, 2022)

entries per page

Search:

Provider	Settlement Amount*	Allegations
Banner Health ACE	$200,000	OCR cites two occasions in which Phoenix-based not-for-profit health system took about 6 months to provide patients their requested PHI
Rainrock Treatment Center, LLC dba Monte Nido Rainrock	$160,000	Florida eating treatment disorder took more than 8 months to fulfill patient’s request for a copy of her medical records
St. Joseph’s Hospital and Medical Center	$160,000	Phoenix hospital refused to provide PHI to patient’s mother even though she was his legal representative
Dr. Robert Glaser	$100,000	New York cardiovascular disease and internal medicine doctor didn’t cooperate with OCR’s investigation or respond to its data requests after not providing patient a copy of their medical record
NY Spine Medicine	$100,000	Neurology practice refuses patient’s multiple requests for copies of specific diagnostic films
Bayfront Hospital	$85,000	Florida hospital didn’t provide expectant mother timely access to the PHI of her unborn child
Korunda Medical	$85,000	After first refusing to provide it at all, Florida primary care and interventional pain management services provider sent patient’s PHI to third party in the wrong format and charged him excessive fees
Children’s Hospital & Medical Center	$80,000	Nebraska hospital failed to provide mother of minor patient timely access to her daughter’s medical records, despite repeated requests
Renown Health, P.C.	$75,000	Nevada private, not-for-profit health system didn’t timely honor patient’s request to transfer her EHR and billing records to a third party
Sharp Rees-Stealy Medical Centers	$70,000	California hospital and health care network didn’t timely honor request to transfer patient’s EHR to a third party

Showing 1 to 10 of 27 entries

*In addition to the monetary settlement, each accused provider had to agree to implement a corrective action plan and allow the OCR to conduct close monitoring for one to two years

Sign up for our free weekly Lab & Pathology Insider email newsletter

Email*

Country*

Subscribe to view Essential

Start a Free Trial for immediate access to this article

TRY FOR FREE