In 2020, the Office for Civil Rights (OCR) kept the promise it made the prior year to “vigorously enforce” the rights of patients to access and exercise control over their medical records. OCR has settled ten “right of access” investigations since September 2020 alone. The settlements extended across a wide range of covered entities, from large health care systems to smaller focused mental health service providers, and the settlement amounts varied widely, ranging from $3,500 to $160,000.
In addition to the monetary settlements, all the covered entities involved are subject to detailed corrective action plans (CAPs), which include one to two years of monitoring by OCR. Importantly, all of the investigations that resulted in settlements to date were initiated after the individual trying to access the records filed a complaint with OCR. In several cases, the individual made multiple complaints to OCR over time after the individual was unable to access the requested records.
A detailed summary of each settlement appears of the bottom of this post, but a key takeaway is that covered entities must respond to an individual’s access request no later than 30 days after receipt of the request. All of the settlements to date involved, at least in part, a failure to respond within that required timeframe.
Note that OCR released proposed rules yesterday that, if finalized, would implicate many of the right of access provisions below. Stay tuned for Foley’s forthcoming blog on those proposed rules.
HIPAA provides that covered entities must permit individuals to inspect and obtain a copy of their protected health information (PHI) maintained in a designated record set, with very limited exceptions. 45 CFR § 164.524. OCR has issued additional guidance on the access right, making clear the right is very broad. Considering OCR’s recent interest in enforcement in this space, covered entities should ensure their policies, procedures, and practices support individuals’ access rights in accordance with HIPAA’s requirements, including the following areas. Note that to the extent state law provides individuals with greater access rights than HIPAA, covered entities must follow the state law in addition to HIPAA.
Other costs cannot be charged, even if permitted by state law. Note these fee limitations do not apply to an individual’s request for a covered entity to transmit records directly to a third party.
Note that covered entities should not require individuals to complete a full HIPAA authorization to exercise their access rights under HIPAA. Because a HIPAA authorization requests more information than is necessary, or which may be relevant, for individuals to exercise their access rights, OCR states that requiring execution of a HIPAA authorization may create impermissible obstacles to the exercise of this right.
In the words of OCR Director Roger Severino, “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously. OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.”
# | Settlement Date | Alleged Violation(s) | Summary of Facts | Settlement |
1 | Sept 2019 | - Timely Access | - Failed to provide a mother timely access to records about her unborn child. - Records were provided > 9 months after initially requested. - Access right “extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child.” |
$85,000 + CAP w/ 1 year of monitoring |
2 | Dec 2019 |
- Timely Access |
- Failed, despite repeated requests, to timely provide a patient’s medical records to a third party in the requested electronic format. - Charged more than the reasonable cost-based fees allowed under HIPAA. - OCR provided assistance on how to correct issue and closed the complaint. - Records provided 2 months later after OCR’s second intervention. |
$85,000 + CAP w/ 1 year of monitoring |
3 | Sept 2020 | - Timely Access | - Failed to provide a patient with copies of his medical records. - OCR provided technical assistance and closed the complaint. - OCR received second complaint that patient had still not received his records. - Records provided 4 months later. |
$38,000 + CAP w/ 1 year of monitoring |
4 | Sept 2020 | - Timely Access | - Denied a patient’s requests to inspect and receive a copy of her records. - Sent patient records 16 months later after OCR opened an investigation. |
$15,000 + CAP w/ 2 years of monitoring |
5 | Sept 2020 | - Timely Access | - Failed to respond to request from a personal representative seeking access to her father's medical records. - Records provided 8 months later after OCR opened an investigation. |
$70,000 + CAP w/ 1 year of monitoring |
6 | Sept 2020 | - Timely Access | - Failed to respond to an individual's request for access to her medical records. - OCR provided technical assistance and closed the complaint. - OCR received second complaint that patient had still not received her records. - Individual received her medical records 23 months later. |
$3,500 + CAP w/ 2 years of monitoring |
7 | Sept 2020 | - Timely Access | - Failed to provide a personal representative with access to his minor child’s medical records requested. - OCR provided technical assistance and closed the complaint. - OCR received second complaint that the personal representative had still not received the records. - Records sent 18 months later. |
$10,000 + CAP w/ 1 year of monitoring |
8 | Oct 2020 | - Timely Access | - Failed to provide a personal representative with access to minor child’s medical records beginning in January 2018. - Provided some of the requested records, but not all of them despite the personal representative’s follow up requests in March, April, and May 2018. - All requested medical records provided in December 2019, more than 22 months after the initial request. |
$160,000 + CAP w/ 2 years of monitoring |
9 | Oct 2020 | - Timely Access | - Individual made multiple requests for a copy of her medical records. - Provided some of the records, but did not provide the diagnostic films specifically requested. - All requested medical records provided 16 months after the initial request. |
$100,000 + CAP w/ 2 years of monitoring |
10 | Nov 2020 | - Timely Access - Proper Denial of Access to Psychotherapy Notes |
- Failed to provide patient a copy of her medical records despite multiple requests. - OCR provided technical assistance and closed the complaint. - OCR received second complaint that patient had still not received the records. - Covered entity stated that because the requested records included psychotherapy notes, it did not have to comply with the access request. - However, entity did not follow HIPAA’s requirements for denying access to the applicable records and did not provide access to all other requested records. - All requested medical records, minus psychotherapy notes, were provided to the patient 20 months after the initial request. |
$25,000 + CAP w/ 2 years of monitoring |
11 | Nov 2020 | - Timely Access | - Failed to provide a patient with access to her medical records. - OCR provided technical assistance and closed the complaint. - OCR received second complaint that patient had still not received the records. - All requested medical records provided 26 months after the initial request. |
$15,000 + CAP w/ 2 years of monitoring |
12 | Nov 2020 | - Timely Access - Transmission to Third Party - Form/Format |
- Failed to timely provide a patient’s medical records to a third party in the requested electronic format. - Rights include the right to have electronic records timely transmitted to a third party. - Investigation determined that the covered entity failed to timely provide records per the request. - Records received 6 months after the initial request. |
$65,000 + CAP w/ 2 years of monitoring |