This year, the Department of Health and Human Services’ Office for Civil Rights (OCR) resolved 14 enforcement actions it had filed against healthcare providers, health plans, and clinical labs. OCR resolved all but one of these 13 through entering into a Settlement Agreement with the covered entity. In the remaining action, OCR imposed a civil monetary penalty on the provider. The lessons from 2021 HIPAA fines are three-fold:

2021 HIPAA Fines

  1. Healthcare providers should maintain effective and responsive right of access policies and procedures
  2. Conducting the Security Rule-mandated security risk assessment is as important as ever
  3. Cooperation with OCR can mitigate the severity of a penalty

These conclusions can be gleaned from the headlines: This year, OCR issued 12 right of access fines, as well as two fines for failure to adequately implement the Security Rule’s risk assessment requirement. 

OCR issued one of the twelve right of access fines, a $100,000 fine imposed on a Long Island, New York cardiologist, in large part because the provider ignored its responsibility to cooperate with an OCR investigation. 2021’s HIPAA fines are examined in greater detail below.

Lesson #1 from 2021 HIPAA Fines: The Right of Access to Medical Records is Real

Before the HIPAA Privacy Rule was fully implemented in 2004, patients seeking access to the protected health information in their medical records had it tough. Many state laws either did not require providers to respond to records requests by a specific date. States that did have such laws were often reluctant or indifferent to enforcing them.

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

The HIPAA Enforcement Rule was implemented in 2006. Since then, OCR has had the power to impose civil monetary penalties upon providers who fail to comply with the HIPAA Privacy Rule right of access provision. Under this provision, patients are entitled to access, inspect, and obtain copies of their PHI. 

For thirteen years, OCR did not impose civil monetary penalties, or enter into settlement agreements, with non-compliant entities.  

And then came Bayfront Health. In September of 2019, OCR announced that it had settled a potential Bayfront Health right of access violation for $85,000. Bayfront incurred OCR’s wrath for having failed to provide a mother timely access to records about her unborn child. 

What happened?

In early 2019, OCR publicly announced the start of a right of access enforcement initiative, thereby putting providers on notice that failure to comply with the right of access standard would no longer be tolerated. Since then, OCR has resolved 25 right of access complaints, by entering into a settlement agreement with 24 covered entities, and by imposing a civil monetary penalty on another. 2019 brought 2 right of access resolutions; 2020 brought 11; and 2021 brought 12.

Let’s Simplify Compliance

Sign up for our January 26th fines webinar to get actionable tips on how to avoid HIPAA fines!

Sign Up!
HIPAA Seal of Compliance

The Twelve Right of Access Fines of 2021

Each right of access resolution agreement or civil monetary penalty issued in 2021 has several things in common. The first and perhaps most obvious commonality is that all were issued during a global pandemic, when HHS was busy issuing and enforcing COVID-related guidance, and when OCR was exercising other enforcement powers, including imposing penalties against healthcare entities engaging in discriminatory practices. The world and HHS are busy, but there is still time for fines. Indeed, five fines were announced on the same day – November 30, 2021, right around the same time the latest COVID-19 variant, Omicron, got added to HHS’ plate.

Who was dinged? Small practices, with a few exceptions that opened 2021. The practices that settled also all agreed to submit to a corrective action plan (CAP) – essentially to be monitored by HHS for one or two years to ensure no repeat incident. Let’s have a recap.

2021 HIPAA Right of Access Fines: #1 – Banner Health

Banner Health affiliated covered entities (Banner Health ACE) is a non-profit health system with 30 hospitals, and primary care, specialty care, and urgent care facilities, and is one of the largest health systems in the United States. On January 12, 2021, OCR announced that it had reached a settlement with Banner Health ACE (employee size: approximately 40,000) to settle potential HIPAA right of access violations. Several patients had requested their records and did not receive them in a timely fashion. The OCR settlement agreement requires Banner Health ACE to pay a $200,000 HIPAA fine and adopt a corrective action plan to ensure future compliance. In addition, as part of the OCR settlement agreement, Banner Health ACE is subject to two years of monitoring by OCR.  

2021 HIPAA Right of Access Fines: #2 – Renown Health

In February of 2021, OCR announced that not-for-profit Nevada health system Renown Health, P.C. (approximate employee size: 6,500) had agreed to pay $75,000 to the Department of Health and Human Services’ (HHS) to settle a potential right of access violation. What happened? Renown failed to provide a patient with electronic copies of her PHI for approximately a year. As part of its settlement with HHS, Renown agreed to placement under a corrective action plan (CAP). The highlights of the plan:

Renown is required to take the following actions under the CAP:

  • Renown must develop, maintain, and/or revise, as necessary, its written access policies and procedures to comply with the HIPAA Privacy Rule. The policies and procedures must address Renown’s failure to provide timely access to medical records, by describing Renown’s obligations under the right of access provision. The procedures must ensure comprehensive and timely responses to access requests to PHI. The policies and procedures must also outline protocols for training all workforce members involved in receiving or fulfilling access requests. 
  • Renown must provide the policies and procedures to HHS for approval.
  • If HHS recommends any changes to the policies and procedures, Renown must make revisions within 30 days of the recommendations. The revision process will continue until HHS approves the policies and procedures in full.

Had Renown provided the access to begin with, it would not have incurred these obligations. Renown is not the only provider to have been CAP-slapped this year. All providers – all 11 – with whom OCR entered into a settlement agreement – are now CAP-monitored. 

Lesson: For providers who violate the right of access rule and settle by paying a fine, the song may have ended, but the melody lingers on.

2021 HIPAA Right of Access Fines: #3 – Sharp HealthCare

In February of 2021, Sharp HealthCare (SRMC) forked over $70,000 to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to settle a potential violation of the right of access standard. In April of 2019, a Sharp patient made a request for electronic access to their medical records. On June 11, the patient, through a representative, filed a complaint with OCR, alleging that SRMC had failed to provide the requested access. OCR closed its resulting investigation two weeks later, by providing SRMC with technical assistance.

OCR provided the technical assistance to stress the importance of a timely response to a request for access. Despite having received the assistance, SRMC did not provide the patient with access to the requested records until mid-October, as a result of OCR’s second investigation. OCR proposed a civil monetary penalty. SRMC, to avoid a civil monetary penalty,  settled the potential access violation for $70,000. 

Lesson: “I’m from the government, and I’m here to help” is not always a punchline.     

In many cases, OCR provides technical assistance to providers in lieu of fining them. Through this technical assistance, OCR walks providers through what they must do to comply with the right of access standard. Providers who take the help to heart thereby avoid fines in the future. Providers who ignore the advice do so at their peril.

2021 HIPAA Right of Access Fines: #4 – Arbour Hospital

The facts of the next settlement, this time with 146-bed Arbour Hospital, are a virtual rerun of the SRMC episode. An Arbour patient requested records, did not receive them, and filed a complaint. OCR reviewed the complaint, provided Arbour with technical assistance, and guess what? The patient still did not receive the records. After a second investigation, the patient received his records. Arbour settled the right of access skirmish with OCR for $65,000. Total time it took Arbour to provide the records to the patient: eight months.

2021 HIPAA Right of Access Fines: #5 – Village Plastic Surgery

Village Plastic Surgery (VPS) is a small provider (one-doctor shop) in Ridgewood, New Jersey. In August of 2019, a VPS patient requested what should have been a small lift: she asked for copies of her medical records. After she complained to OCR, OCR concluded that VPS may have violated the right of access standard. As a result of OCR’s investigation, VPS sent the patient her requested medical records.

(Mini Lesson, Obvious But Important All the Sam