Home 5 Articles 5 OCR Cracks Down on Right of Access Foot Dragging

OCR Cracks Down on Right of Access Foot Dragging

by | Apr 21, 2022 | Articles, Enforcement-nir, Essential, National Lab Reporter

Thanks to recent federal enforcement initiatives, prompt response to patient PHI requests should be a growing priority for HIPAA compliance.

Prompt response to patient requests for access to their lab test and other personal medical records is hardly a new obligation. But thanks to recent federal enforcement initiatives, it has—or at least should be—a growing priority for HIPAA compliance.

The HIPAA Privacy Rule Requirements

Under the HIPAA Privacy Rule, labs and other covered entities must act on an individual’s request for access to their protected health information (PHI) within 30 calendar days of receiving the request. If 30 days isn’t enough, the lab can get an additional 30 calendar days as long as it provides the requestor a written statement listing the reasons for the delay and the date by which it will complete its action in processing the request. These timelines apply even if the PHI that the individual requests is maintained not by the lab but a business associate on the lab’s behalf, in which case the initial 30-day deadline clock starts ticking on the date the lab receives the request rather than the date on which it forwards the request to the business associate. Nor does the lab get an extension for negotiating with the individual on the scope or format of the request. In other words, the clock still begins on the date of receipt, rather than the date negotiations end.

The HIPAA Right of Access Initiative

Historically, the agency in charge of enforcing the HIPAA Privacy Rule, the HHS Office of Civil Rights (OCR), has focused on unlawful collection, use, and disclosure and provider efforts to keep PHI private and secure. But in April 2019, the agency announced a new enforcement initiative focusing on the rule’s right of access provisions. Less than six months later, the OCR handed down its first ever fine to a provider for failing to comply with its right of access obligations. By January 2021, total right of access fines reached 14. Change in administration hasn’t resulted in change of enforcement policy. The Biden administration OCR has now issued 13 right of access fines, including a whopping $160,000 penalty, tied for the second biggest, under the initiative. The momentum continues with two more right of access fines issued in March, bringing the total to 27. Here’s a Scorecard of all announced settlements to date.

OCR Right of Access Initiative Settlements Scorecard (as of April 8, 2022)

ProviderSettlement Amount*Allegations
Banner Health ACE$200,000OCR cites two occasions in which Phoenix-based not-for-profit health system took about 6 months to provide patients their requested PHI
Rainrock Treatment Center, LLC dba Monte Nido Rainrock$160,000Florida eating treatment disorder took more than 8 months to fulfill patient’s request for a copy of her medical records
St. Joseph’s Hospital and Medical Center$160,000Phoenix hospital refused to provide PHI to patient’s mother even though she was his legal representative
Dr. Robert Glaser$100,000New York cardiovascular disease and internal medicine doctor didn’t cooperate with OCR’s investigation or respond to its data requests after not providing patient a copy of their medical record
NY Spine Medicine$100,000Neurology practice refuses patient’s multiple requests for copies of specific diagnostic films
Bayfront Hospital$85,000Florida hospital didn’t provide expectant mother timely access to the PHI of her unborn child
Korunda Medical$85,000After first refusing to provide it at all, Florida primary care and interventional pain management services provider sent patient’s PHI to third party in the wrong format and charged him excessive fees
Children’s Hospital & Medical Center$80,000Nebraska hospital failed to provide mother of minor patient timely access to her daughter’s medical records, despite repeated requests
Renown Health, P.C.$75,000Nevada private, not-for-profit health system didn’t timely honor patient’s request to transfer her EHR and billing records to a third party
Sharp Rees-Stealy Medical Centers$70,000California hospital and health care network didn’t timely honor request to transfer patient’s EHR to a third party
Beth Israel Lahey Health Behavioral Services$70,000Massachusetts provider ignored request of personal representative seeking access to her father’s PHI
Arbour Hospital$65,000Massachusetts mental health services provider kept patient waiting 5 months before granting access to his PHI
University of Cincinnati Medical Center, LLC$65,000Ohio academic medical center failed to respond to patient’s request to send an electronic copy of her medical records maintained in its electronic health record EHR to her lawyers
Housing Works Inc.$38,000New York City non-profit services provider refused patient’s request for a copy of his medical records
Peter Wrobel, M.D., P.C., dba Elite Primary Care$36,000Georgia primary care practice failed to provide patient access to his medical records
*Advanced Spine & Pain Management$32,150Ohio pain services provider took nearly 4 months to provide patient requested medical records
Dr. Donald Brockley, D.D.M$30,000Pennsylvania solo practitioner dentist failed to provide a patient a copy of their medical record
Denver Retina Center$30,000Colorado ophthalmological services provider took 8 months to provide requested medical records and lacked compliant access policies
Village Plastic Surgery$30,000New Jersey practice failed to provide patient timely access to his medical records
Jacob and Associates$28,000Psychiatric practice with two offices in California failed to provide a patient requested access to her medical records, ignoring her annual requests for five years in a row
Riverside Psychiatric Medical Group$25,000California medical group didn’t provide patient copy of her medical records despite repeated requests and OCR intervention
Dr. Rajendra Bhayani$15,000NY physician didn’t provide patient her medical records even after OCR intervened and closed the complaint
All Inclusive Medical Services, Inc.$15,000California multi-specialty family medicine clinic refused patient’s requests to inspect and receive a copy of her records
Wake Health Medical Group$10,000North Carolina primary care provider never furnished requested records despite charging patient $25 access fee
Wise Psychiatry, PC$10,000Colorado psychiatric firm refused to provide personal representative access to his minor son’s medical record
Diabetes, Endocrinology & Lipidology Center, Inc. $5,000West Virginia diabetes clinic made the mother of a minor patient wait nearly 2 years for access to his medical records
King MD$3,500Virginia psychiatric practice didn’t provide patient access to her medical records even after OCR intervened, provided technical assistance, and closed the complaint
*In addition to the monetary settlement, each accused provider had to agree to implement a corrective action plan and allow the OCR to conduct close monitoring for one to two years

Subscribe to view Essential

Start a Free Trial for immediate access to this article