2020 Right of Access Enforcement

2020 has been an unenviable year of firsts and of worsts. Add to this another undesirable record-breaker. In 2020, the Department of Health and Human Services’ (HHS) Office for Civil Rights issued a record 19 fines for failure to comply with the HIPAA regulations. 11 of the fines issued were for a failure to comply with the HIPAA Privacy Rule’s right of access. The message of OCR 2020 – provide records to patients when they request them, without delay. 2020 right of access enforcement is discussed below.

OCR and Right of Access Enforcement

Under the HIPAA Privacy Rule’s right of access provision, providers must permit patients to inspect and obtain copies of their protected health information (PHI). The right of access provision takes “waiting time” out of providers’ hands. Generally, a provider must act on a request for access no later than 30 days after receiving it. 

In 2019, OCR announced its “HIPAA Right of Access Initiative,” under which OCR right of access enforcement was made a priority, to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. Later that year, OCR made good on its enforcement promise by issuing two fines under the initiative, one in September and one in December.

2020 Right of Access Enforcement: 11 Organizations Fined

Flash forward to September of 2020: Up to this point, only three fines had been issued by OCR  – none under the right of access initiative. On September 15, what had been a quiet year became a noisy one. OCR announced that it had issued right of access fines to five separate providers. The first of these, issued to non-profit provider Housing Works, Inc., was relatively unremarkable. In the summer of 2019, a complainant notified OCR that complainant had not been timely provided with copies of his medical records. OCR investigated, and found that Housing Works, Inc., had not complied with the right of access rule, and fined Housing Works, Inc., in the amount of $38,000.

The other four cases in which the right of access enforcement continued involved more egregious behavior. In one, the provider failed to provide the patient access to inspect AND access a copy of records. The provider was hit with a $15,000 fine and a two-year corrective action plan (CAP), under which the provider must develop Privacy Rule policies and procedures, and train employees on them. 

Beth Israel Lahey Health Behavioral Services (“BILHBS”), the target of the third, $70,000 fine, failed to timely provide a woman who had been appointed as the personal representative of her father’s estate with her father’s medical records, taking almost a whole year to deliver the records in full. 

Two-employee practice Patricia King MD & Associates (“King MD”) took two times to get HIPAA right. On October 18, 2018, OCR received a complaint alleging Patricia King MD & Associates failed to provide an individual with access to her protected health information. OCR, instead of issuing a fine, provided this psychiatry practice with technical assistance regarding the right of access provision. The help was for naught, as in February of 2019, OCR received a second complaint about continuing noncompliance. After investigation, OCR fined King MD $3,500 and imposed a two-year corrective action plan. The OCR 2020 CAP requires King MD to implement the policies and procedures that were the subject of the technical assistance.

In another case, a father who requested his minor son’s medical records from Wise Psychiatry PC gave Wise all of the information it needed to process a November 2017 request, to which Wise did not respond until May of 2019 – only after the father complained to OCR. As a result of OCR’s investigation, Wise Psychiatry sent the complainant a copy of his son’s PHI via certified mail on May 30, 2019. The year-and-a-half delay’s price tag: a $10,000 fine and corrective action plan.

What Did the Fines Have in Common?

The five fines shared commonalities with each other, and with the six additional right of access fines issued before year’s end. In each instance, the provider that was fined was a relatively small shop. The fine that was issued was relatively small – no fine exceeded $200,000. Of course, some of the fines differed from each other in a few particulars – some practices were GPs, some orthopedic, some psychiatric, and the fines were issued to practices as far west as California and as far east as New York (which earned the distinction of “state having the most OCR 2020 fines”). 

What the OCR 2020 right of access fines ultimately share in common is that they are evidence that OCR is making good on its promise to enforce the right of access initiative. Providers who ignore or refuse to respond to patient requests are subject not only to onerous corrective action plans and fines, but to negative publicity stemming from being prominently placed on OCR’s website.