Recent enforcement actions by the Office for Civil Rights (OCR) underscore the importance of providing patients with copies of their protected health information (PHI) as required by HIPAA. Failure to provide access exposes covered entities to OCR investigations, corrective action plans and payment of monetary settlements.

On Sept. 15, 2020, OCR announced the settlement of five investigations as part of its HIPAA Right of Access Initiative. Through the initiative, OCR enforces individuals’ right of access to inspect and obtain a copy of their PHI.    

45 C.F.R. § 164.524 sets out detailed requirements for how and when covered entities must respond to an individual’s request for access. For example, a covered entity must act on a request for access no later than 30 days after receipt of the request (with certain exceptions). The regulation permits covered entities to impose a “reasonable, cost-based fee” if the individual requests a copy of the PHI or agrees to a summary of the PHI, provided that the fee includes only the cost of related labor, supplies, postage and time for preparing the summary. 

The recently announced settlements close OCR’s investigations into five covered entities who   allegedly failed to comply with these provisions: Housing Works Inc., All Inclusive Medical Services, Inc., Beth Israel Lahey Health Behavioral Services, King MD and Wise Psychiatry, PC.  As part of the settlements, each entity has agreed to pay settlement amounts ranging from $3,500 (King MD) to $70,000 (Beth Israel). The entities also agreed to adopt corrective action plans, which impose various requirements such as the revision of internal policies and procedures related to right of access, workforce training on right of access, and HHS monitoring ranging from one to two years.

In each case, OCR’s investigation was triggered by OCR’s receipt of one or more patient complaint(s) alleging that the entity failed to provide a copy of or access to requested medical records. Any person who believes a covered entity or business associate is not complying with the HIPAA Privacy Rules, including the right of access provision, may file a complaint with the Department of Health and Human Services. By and large, OCR investigates every complaint against a covered entity as long as the complaint was filed within 180 days of the alleged violation (or an extension was granted to the complainant). Moreover, OCR makes it very easy for patients to file complaints electronically by using OCR’s Complaint Portal Assistant. For all of these reasons, covered entities should avoid giving patients even the smallest reason for filing a complaint.

These five settlements bring OCR’s total to seven completed enforcement actions under the Right of Access Initiative, and highlight OCR’s continued focus on pursuing covered entities who fail to give patients timely access to their health care records at a reasonable cost.