OCR Announces Five HIPAA “Right of Access” Settlements

On September 15, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced five new settlements relating to enforcement of HIPAA’s right of access rule. Under HIPAA, patients have the right to timely access to their medical records, as recently discussed here.

A HIPAA covered entity must respond to a patient’s request for access to records within 30 days of receiving the request. HIPAA permits covered entities to charge patients a reasonable fee for such access, unless otherwise prohibited by applicable state law. Last year, OCR announced that it is prioritizing enforcement of this rule as part of its HIPAA Right of Access Initiative.

Each of the newly announced settlements stemmed from a patient complaint which triggered an OCR investigation. In each case, the covered entity ignored or denied a patient’s request for access to or copies of his or her medical records, and the patient filed a complaint with OCR. OCR concluded that the covered entities potentially violated the HIPAA right of access rule and settled with each covered entity for a monetary fine. Each covered entity also agreed to implement a corrective action plan that includes monitoring by OCR to ensure HIPAA compliance. The five settlements are as follows:

• Housing Works, Inc., a New York City non-profit organization that provides healthcare services and other community resources such as homeless services, job training and legal aid to individuals affected by HIV/AIDS, agreed to pay $38,000 for failing to provide a patient with access to his medical records on two separate occasions;
• All Inclusive Medical Services, Inc., a California-based family medical clinic, agreed to pay $15,000 for refusing a patient access to her medical records;
• Beth Israel Lahey Health Behavioral Services, a large network of mental health and substance abuse services in Massachusetts, agreed to pay $70,000 for failing to respond to a request from a patient’s personal representative to access her father’s medical records;
• King MD, a small psychiatric services provider in Virginia, agreed to pay $3,500 for failing to respond to a patient’s request for access to her medical records on two separate occasions; and
• Wise Psychiatry, PC, a small psychiatric practice in Colorado, agreed to pay $10,000 for failing to provide a parent with access to his minor son’s medical records on two separate occasions.

These settlements are a reminder to all covered entities about the importance of complying with HIPAA and, in particular, ensuring that patients have access to their medical records as required by law. “Patients can’t take charge of their health care decisions without timely access to their own medical information,” said OCR Director Roger Severino, adding that the OCR settlements are “about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough.”