On November 30, 2021, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of five HIPAA right of access investigations. OCR settled four right of access complaints, with providers in Ohio, Colorado, Oregon and North Carolina. OCR imposed a civil monetary penalty (CMP) on a fifth provider, a cardiologist in Long Island (New Hyde Park), New York. OCR imposed a penalty on this provider, instead of settling, because of the provider’s failure to cooperate with OCR over a multi-year investigation. Providers are required under the HIPAA Privacy Rule’s right of access standard to provide patients with timely access (within 30 days of a request) to their medical records. The details of each HIPAA right of access complaint, and their resolutions are provided below.

The Four HIPAA Right of Access Complaints Settlements

HIPAA Right of Access Complaint

The first four HIPAA right of access complaints that will be discussed have one thing in common, the providers cooperated with the HHS and reached settlement agreements. Their cooperation significantly affected how much they were ultimately fined.

Advanced Spine and Pain Management

Advanced Spine & Pain Management (ASPM) located in Cincinnati and Springboro, Ohio, is a provider of chronic pain management and treatment services. In November of 2021, an ASPM patient filed a complaint with OCR, alleging that ASPM had not provided him with timely access to his PHI. HHS then investigated. During the investigation, ASPM acknowledged that it received the patient’s request on the date the patient sent it. However, ASPM did not send the requested PHI until four months later. As a result, to avoid incurring a Privacy Rule right of access civil monetary penalty, ASPM entered into a resolution agreement with OCR. Under the terms of the agreement, ASPM has agreed to pay OCR $32,150, and to submit to a two-year corrective action plan (CAP).

Denver Retina Center (DRC)

Denver Retina Center provides retinal ophthalmology services in Glendale, Colorado. A DRC patient filed a complaint with OCR in the summer of 2019, alleging that DRC ignored her December, 2018 request for access to her medical records. In her complaint, the patient noted that she previously filed a complaint, in March of 2018, alleging an earlier right of access violation. OCR closed out that complaint by providing technical assistance to DRC. In response to the July 2019 investigation, DRC admitted that it was late in responding to the complaint – by  almost seven months. DRC appears to have turned a blind eye to fully cooperating with OCR, as it failed to simply confirm the date of the December, 2018 request. OCR, upon investigation, concluded that DRC failed to have sufficient written policies and procedures related to providing timely access to PHI under the right of access standard. To illuminate the importance of the right of access, OCR entered into a resolution agreement with DRC. Under the agreement, DRC must pay $30,000 to HHS and undergo a two-year corrective action plan.

Let’s Simplify Compliance

Avoid HHS fines by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance