The Department of Health and Human Services’ (HHS) Office for Civil Rights recently announced its seventeenth settlement of an enforcement action under its HIPAA Right of Access Initiative. The Arbour, Inc., doing business as Arbour Hospital (Arbour), has agreed to pay $65,000 to settle a potential right of access standard violation. Arbor has also agreed to submit to a one-year corrective action plan (CAP). More details on the right of access violation settlement are discussed.

Right of Access Violation Settlement: The Facts

Right of Access Violation Settlement

Arbour Hospital is a Massachusetts behavioral health services provider. In March of 2019, an Arbour patient requested access to his medical records. The patient, having not received the records, filed a complaint with OCR. OCR received the complaint on July 5, 2019. OCR responded to the complaint by providing Arbour with technical assistance on how to comply with the right of access standard. This standard requires that patients be given timely access to protected health information in their medical records. This means that providers must take action on an access request within 30 days of receipt. After OCR provided the assistance, OCR closed the complaint. 

However, even after being given the assistance, Arbour did not provide the patient with copies of his medical records. The patient then filed a second complaint, on July 28, alleging that Arbour had failed to respond to the request made in March. Upon investigation, OCR determined that Arbour had potentially violated the right of access standard. Finally, as a result of OCR’s investigation, Arbour provided the patient with a copy of the requested records. Arbour did not provide the records until November of 2019 – eight months after the records were first requested.

Let’s Simplify Compliance

Do you need help complying with the HIPAA right of access? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Faced with being issued a civil monetary penalty (CMP) for noncompliance with the right of access standard, Arbour agreed to settle with OCR for $65,000. Arbour also agreed to submit to a corrective action plan. The terms of the settlement can be found here

Under the terms of the corrective action plan, Arbour must develop and implement the following:

  • A “Right of Access to PHI” policy to ensure comprehensive and timely responses to requests for records.
  • Protocols for training all Arbour’s workforce members and business associates that are involved in receiving or fulfilling access requests, as necessary and appropriate to ensure compliance with the “Right of Access to PHI” policy.
  • A sanctions policy, to be applied against Arbour workforce members who fail to comply with the “Right of Access to PHI” policy.
  • A process for reviewing business associate performance with regard to access requests and responses, and for terminating relationships with business associates who fail to permit Arbour to comply with the “Right of Access to PHI” policy.

In addition, Arbour must designate one or more individuals, who are to ensure that Arbour’s business associate agreements with business associates involved in Arbour’s right of access responsibilities, are properly executed.

“Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed