OCR Cracks Down on Right of Access Foot Dragging
Thanks to recent federal enforcement initiatives, prompt response to patient PHI requests should be a growing priority for HIPAA compliance.
Prompt response to patient requests for access to their lab test and other personal medical records is hardly a new obligation. But thanks to recent federal enforcement initiatives, it has—or at least should be—a growing priority for HIPAA compliance.
The HIPAA Privacy Rule Requirements
Under the HIPAA Privacy Rule, labs and other covered entities must act on an individual’s request for access to their protected health information (PHI) within 30 calendar days of receiving the request. If 30 days isn’t enough, the lab can get an additional 30 calendar days as long as it provides the requestor a written statement listing the reasons for the delay and the date by which it will complete its action in processing the request. These timelines apply even if the PHI that the individual requests is maintained not by the lab but a business associate on the lab’s behalf, in which case the initial 30-day deadline clock starts ticking on the date the lab receives the request rather than the date on which it forwards the request to the business associate. Nor does the lab get an extension for negotiating with the individual on the scope or format of the request. In other words, the clock still begins on the date of receipt, rather than the date negotiations end.The HIPAA Right of Access Initiative
Historically, the agency in charge of enforcing the HIPAA Privacy Rule, the HHS Office of Civil Rights (OCR), has focused on unlawful collection, use, and disclosure and provider efforts to keep PHI private and secure. But in April 2019, the agency announced a new enforcement initiative focusing on the rule’s right of access provisions. Less than six months later, the OCR handed down its first ever fine to a provider for failing to comply with its right of access obligations. By January 2021, total right of access fines reached 14. Change in administration hasn’t resulted in change of enforcement policy. The Biden administration OCR has now issued 13 right of access fines, including a whopping $160,000 penalty, tied for the second biggest, under the initiative. The momentum continues with two more right of access fines issued in March, bringing the total to 27. Here’s a Scorecard of all announced settlements to date.OCR Right of Access Initiative Settlements Scorecard (as of April 8, 2022)
| Provider | Settlement Amount* | Allegations |
|---|---|---|
| Banner Health ACE | $200,000 | OCR cites two occasions in which Phoenix-based not-for-profit health system took about 6 months to provide patients their requested PHI |
| Rainrock Treatment Center, LLC dba Monte Nido Rainrock | $160,000 | Florida eating treatment disorder took more than 8 months to fulfill patient’s request for a copy of her medical records |
| St. Joseph’s Hospital and Medical Center | $160,000 | Phoenix hospital refused to provide PHI to patient’s mother even though she was his legal representative |
| Dr. Robert Glaser | $100,000 | New York cardiovascular disease and internal medicine doctor didn’t cooperate with OCR’s investigation or respond to its data requests after not providing patient a copy of their medical record |
| NY Spine Medicine | $100,000 | Neurology practice refuses patient’s multiple requests for copies of specific diagnostic films |
| Bayfront Hospital | $85,000 | Florida hospital didn’t provide expectant mother timely access to the PHI of her unborn child |
| Korunda Medical | $85,000 | After first refusing to provide it at all, Florida primary care and interventional pain management services provider sent patient’s PHI to third party in the wrong format and charged him excessive fees |
| Children’s Hospital & Medical Center | $80,000 | Nebraska hospital failed to provide mother of minor patient timely access to her daughter’s medical records, despite repeated requests |
| Renown Health, P.C. | $75,000 | Nevada private, not-for-profit health system didn’t timely honor patient’s request to transfer her EHR and billing records to a third party |
| Sharp Rees-Stealy Medical Centers | $70,000 | California hospital and health care network didn’t timely honor request to transfer patient’s EHR to a third party |
| Beth Israel Lahey Health Behavioral Services | $70,000 | Massachusetts provider ignored request of personal representative seeking access to her father’s PHI |
| Arbour Hospital | $65,000 | Massachusetts mental health services provider kept patient waiting 5 months before granting access to his PHI |
| University of Cincinnati Medical Center, LLC | $65,000 | Ohio academic medical center failed to respond to patient’s request to send an electronic copy of her medical records maintained in its electronic health record EHR to her lawyers |
| Housing Works Inc. | $38,000 | New York City non-profit services provider refused patient’s request for a copy of his medical records |
| Peter Wrobel, M.D., P.C., dba Elite Primary Care | $36,000 | Georgia primary care practice failed to provide patient access to his medical records |
| *Advanced Spine & Pain Management | $32,150 | Ohio pain services provider took nearly 4 months to provide patient requested medical records |
| Dr. Donald Brockley, D.D.M | $30,000 | Pennsylvania solo practitioner dentist failed to provide a patient a copy of their medical record |
| Denver Retina Center | $30,000 | Colorado ophthalmological services provider took 8 months to provide requested medical records and lacked compliant access policies |
| Village Plastic Surgery | $30,000 | New Jersey practice failed to provide patient timely access to his medical records |
| Jacob and Associates | $28,000 | Psychiatric practice with two offices in California failed to provide a patient requested access to her medical records, ignoring her annual requests for five years in a row |
| Riverside Psychiatric Medical Group | $25,000 | California medical group didn’t provide patient copy of her medical records despite repeated requests and OCR intervention |
| Dr. Rajendra Bhayani | $15,000 | NY physician didn’t provide patient her medical records even after OCR intervened and closed the complaint |
| All Inclusive Medical Services, Inc. | $15,000 | California multi-specialty family medicine clinic refused patient’s requests to inspect and receive a copy of her records |
| Wake Health Medical Group | $10,000 | North Carolina primary care provider never furnished requested records despite charging patient $25 access fee |
| Wise Psychiatry, PC | $10,000 | Colorado psychiatric firm refused to provide personal representative access to his minor son’s medical record |
| Diabetes, Endocrinology & Lipidology Center, Inc. | $5,000 | West Virginia diabetes clinic made the mother of a minor patient wait nearly 2 years for access to his medical records |
| King MD | $3,500 | Virginia psychiatric practice didn’t provide patient access to her medical records even after OCR intervened, provided technical assistance, and closed the complaint |
*In addition to the monetary settlement, each accused provider had to agree to implement a corrective action plan and allow the OCR to conduct close monitoring for one to two years
Subscribe to view Essential
Start a Free Trial for immediate access to this article