Since 2019, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has brought a number of enforcement actions against healthcare providers for their failure to comply with the HIPAA Privacy Rule’s right of access standard. This standard requires providers to give patients timely access to their medical records.

HIPAA Right of Access Case

Recently, OCR announced its 19th settlement under its 2019 right of access enforcement initiative. OCR has settled with the Diabetes, Endocrinology & Lipidology Center (DELC) of West Virginia for $5,000 over a potential right of access violation. As part of the OCR case settlement, DELC has agreed to enter into a corrective action plan (CAP). Details of the OCR case settlement are provided below.

DELC HIPAA Right of Access Case

DELC’s solo physician practice in Martinsburg, West Virginia, treats adults and children who suffer from hormonal imbalances. On July 8, 2019, the parent of a DELC patient requested a copy of her minor child’s medical information. The parent did not receive the information, and on August 6, 2019, filed an OCR complaint claiming DELC did not take timely action in response to the request. 

In October of 2019, OCR notified DELC of OCR’s investigation of DELC’s noncompliance with the right of access standard. Upon completion of the investigation, OCR determined that DELC’s failure to provide timely access to the records was a potential HIPAA violation. As a result of the investigation, DELC finally provided the requested records in May of 2021 – nearly two years after the initial request.

DELC settled the complaint by agreeing to pay OCR $5,000, and to submit to a two-year corrective action plan (CAP), in lieu of OCR imposing a civil monetary penalty.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

The Cure is More Costly Than the Disease

The $5,000 fine is one of the smaller fines OCR has issued. However, what DELC must do to comply with the corrective action plan carries its own, significant expense. 

Under the two-year cap, DELC must:

  • Review and revise policies and procedures for individual access to PHI, and include, in these policies and procedures, DELC’s method for calculating a reasonable cost-based fee for access to PHI.
  • Provide training materials regarding the individual’s right of access to PHI to HHS for review and approval. 
  • Provide annual training to all workforce members on the requirements of the right of access standard.
  • Every ninety days, submit to HHS a list of requests for access to PHI received by DELC, including the date request received, date request completed, format requested, format provided, number of pages (if provided in paper format), and cost, excluding postage.
  • Upon receiving information that a workforce member may have failed to comply with its access policies and procedures, promptly investigate the matter and notify HHS of any workforce failure to comply with the policies and procedures.  
  • Submit an annual written report to HHS regarding DELC’s compliance with the CAP.  DELC shall submit a report to HHS regarding DELC’s compliance with the CAP. 

Noted Acting OCR Director Robinsue Frohboese, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records. Covered entities owe it to their patients to provide timely access to medical records.”

HIPAA and State Privacy Compliance

Satisfy state and federal HIPAA laws with streamlined software.

Global CTAs Image