2020 has been an unenviable year of firsts and of worsts. Add to this another undesirable record-breaker. In 2020, the Department of Health and Human Services’ (HHS) Office for Civil Rights issued a record 19 fines for failure to comply with the HIPAA regulations. 11 of the fines issued were for a failure to comply with the HIPAA Privacy Rule’s right of access. The message of OCR 2020 – provide records to patients when they request them, without delay. 2020 right of access enforcement is discussed below.

OCR and Right of Access Enforcement

Right of Access Enforcement

Under the HIPAA Privacy Rule’s right of access provision, providers must permit patients to inspect and obtain copies of their protected health information (PHI). The right of access provision takes “waiting time” out of providers’ hands. Generally, a provider must act on a request for access no later than 30 days after receiving it. 

In 2019, OCR announced its “HIPAA Right of Access Initiative,” under which OCR right of access enforcement was made a priority, to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. Later that year, OCR made good on its enforcement promise by issuing two fines under the initiative, one in September and one in December.

2020 Right of Access Enforcement: 11 Organizations Fined

Flash forward to September of 2020: Up to this point, only three fines had been issued by OCR  – none under the right of access initiative. On September 15, what had been a quiet year became a noisy one. OCR announced that it had issued right of access fines to five separate providers. The first of these, issued to non-profit provider Housing Works, Inc., was relatively unremarkable. In the summer of 2019, a complainant notified OCR that complainant had not been timely provided with copies of his medical records. OCR investigated, and found that Housing Works, Inc., had not complied with the right of access rule, and fined Housing Works, Inc., in the amount of $38,000.

Let’s Simplify Compliance

Avoid HIPAA fines by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

The other four cases in which the right of access enforcement continued involved more egregious behavior. In one, the provider failed to provide the patient access to inspect AND access a copy of records. The provider was hit with a $15,000 fine and a two-year corrective action plan (CAP), under which the provider must develop Privacy Rule policies and procedures, and train employees on them. 

Beth Israel Lahey Health Behavioral Services (“BILHBS”), the target of the third, $70,000 fine, failed to timely provide a woman who had been appointed as the personal representative of her father’s estate with her father’s medical records, taking almost a whole year to deliver the records in full. 

Two-employee practice Patricia King MD & Associates (“King MD”) took two times to get HIPAA right. On October 18, 2018, OCR received a complaint alleging Patricia King MD & Associates failed to provide an individual with access to her protected health information. OCR, instead of issuing a fine, provided this psychiatry practice with technical assistance regarding the right of access provision. The help was for naught, as in February of 2019, OCR received a second complaint about continuing noncomp