11 Right of Access Cases Settled



Eleven more HIPAA Right of Access cases have been resolved, as the OCR announced last week, bringing the total count of these enforcement actions up to 38.

In 2019, the OCR created the HIPAA Right of Access Initiative with the goal of helping patients get access to their protected health information more quickly. Since the Initiative, the OCR has paid careful attention to complaints about slow or costly access, and healthcare organizations have faced penalties for not complying with the Right of Access requirements.

OCR director, Lisa J. Pino, said last Friday: “It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records.” She went on to recommend that providers “take note” of the increasing number of enforcement actions in this area, and recognize that the OCR is not taking this requirement lightly.

The Settlements

Let’s take a look at some of the settlements announced:

  1. A patient of a podiatry practice filed a complaint with the OCR that the practice had not provided access to his requested data. The OCR responded by directing the practice to provide access within 30 days. The practice did eventually provide part or the requested medical records – 618 days after the initial request.
    • Result: $100,000 penalty.
  2. New York-based retina specialists group failed to provide patient access until three days after the OCR initiated its investigation, and five months after the patient’s initial request.
    • Result: $22,500 penalty, corrective action plan including revision of policies and procedures relating to Right of Access.
  3. Ear, Nose, and Throat practice failed to provide timely access to patient data - only responding several months late, when the patient had already filedmultiple complaints with the OCR.
    • Result: $20,000 penalty, corrective action plan including policy revision and employee training on Right of Access standards.
  4. A health center reported that their failure to deliver quick access to requested data was due to an employee’s “misunderstanding of the HIPAA right of access standards.” After three separate requests the records were still not provided.
    • Result: $30,000 penalty, corrective action plan.
  5. A medical center failed to provide access to a patient’s protected data, until they were under OCR investigation.
    • Results: $50,000 penalty, corrective action plan including policy review, employee training, annual reports to the OCR, and a detailed list of all PHI requests to the HHS every 90 days for the duration of the corrective action plan.

What Can I Do?

Make sure your employees are trained on HIPAA Right of Access requirements, and that your patients are receiving their requested personal data in a timely manner. If you have questions about these or any other HIPAA requirements, reach out to your team at Medcurity.


You can read about the other settlements here.