11 Additional Providers Resolve HHS OCR Investigations Related to the HIPAA Right of Access Initiative

On July 15, 2022, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) announced the resolution of eleven investigations as part of its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative (the "Initiative"). OCR created the Initiative to support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. The resolution of these eleven investigations brings the total number of these enforcement actions to thirty-eight since the Initiative began. Saul Ewing has previously written about Initiative enforcement actions, including this Alert and this Alert.

​What You Need to Know:

• In this most recent Initiative announcement from OCR, one covered entity paid a $100,000 civil money penalty and the remaining ten covered entities paid fines ranging from $3,500 to $240,000 to settle alleged HIPAA violations. The health care providers included medical and dental practices in Illinois, New York, Maryland, Florida, Nebraska, Massachusetts, and Texas, hospitals in New York and Texas, and a nursing and rehabilitation center in in Massachusetts.
• OCR noted the number of requests made for the individual's health records prior to their actual release, whether OCR had initiated an investigation before the health records were released, and the overall length of time from initial request until the release of the records.
• The health care provider cannot use a patient's outstanding payment balance to justify its failure to timely respond to the patient's access to records request.
• The Initiative requires not only timely access to the patient's health records, but also the timely provision of a complete copy of a patient's health records if requested by the patient.
• The Initiative requires health care providers to provide to the patient's personal representative timely access to the affected patient's health records.

​HIPAA gives individuals the right to see and get copies of their health information from their health care providers and health plans. After receiving a request, a HIPAA covered entity, absent an extension, has 30 days to provide an individual or their representative with their records in a timely manner (the "HIPAA Right of Access").

The 11 most recent enforcement pursuant to the Initiative are:

1. OCR imposed a civil money penalty of $100,000 on ACPM Podiatry, with offices in Peoria and Canton, Illinois, after it failed to provide a former patient with his requested health records after multiple data requests from the former patient and OCR, and failed to respond to OCR's Letter of Opportunity and Notice of Proposed Determination.
2. Associated Retina Specialists, of New York agreed to take corrective actions and paid $22,500 to settle a potential violation of the HIPAA Right of Access after it failed to provide a patient with a copy of her health records until three days after OCR initiated its investigation, and nearly five months after the complainant's first written request.
3. Lawrence Bell, Jr., D.D.S., a dental practice located in Baltimore, MD, agreed to take corrective actions and paid $5,000 to settle a potential violation of the HIPAA Right of Access after he failed to provide timely access to a patient's health record.
4. Coastal Ear, Nose, and Throat, located in Ormond Beach, Florida, agreed to take corrective actions and paid $20,000 to settle a potential violation of the HIPAA Right of Access after failing to provide timely access to health records after the patient's multiple requests.
5. Danbury Psychiatric Consultants, located in Massachusetts, agreed to take corrective actions and paid $3,500 to settle a potential violation of the HIPAA Right of Access after failing to respond timely to a complainant's access request, failing to provide access to all the complainant's health records until after OCR initiated its investigation, and withholding the complainant's access because the complainant had an outstanding balance and required a signed request or authorization request.
6. Erie County Medical Center Corporation, a public benefit corporation that operates a hospital, Erie County Medical Center, located in Buffalo, New York, agreed to take corrective actions and paid $50,000 to settle a potential violation of the HIPAA Right of Access after failing to timely provide an individual with a complete copy of his medical records.
7. Fallbrook Family Health Center, located in Nebraska, agreed to take corrective actions and paid $30,000 to settle a potential violation of HIPAA Right of Access after failing to provide timely access to medical records.
8. Hillcrest Nursing and Rehabilitation, located in Massachusetts, agreed to take corrective actions and paid $55,000 to settle a violation of the HIPAA Right of Access after failing to provide an individual's personal representative with timely access to her son's medical records.
9. MelroseWakefield Healthcare, a provider in Massachusetts, agreed to take corrective actions and paid $55,000 to settle a violation of the HIPAA Right of Access after failing to provide a personal representative with timely access to medical records on the mistaken basis that the durable power of attorney in this instance did not allow for the provision of such medical records.
10. Memorial Hermann Health System, a not-for-profit health system in Southeast Texas, consisting of 17 hospitals, including Memorial Hermann Katy Hospital, agreed to corrective actions and paid $240,000 to settle a potential violation of the HIPAA Right of Access after failing to respond timely to a complainant's access request.
11. Southwest Surgical Associates, a group practice with nine locations in the Greater Houston, TX area, agreed to corrective actions and paid $65,000 to settle a potential violation of the HIPAA Right of Access after failing to provide an individual timely access to their health information.

The Initiative affects health care providers of all sizes, specialties, and locations. HIPAA compliance continues to be essential for HIPAA covered entities and business associates. The Initiative and these 11 recent enforcement actions are an important and expensive reminder of the importance of providing individuals timely and complete copies of health records when a request is made.



Saul Ewing attorneys regularly help covered entities and business associates with HIPAA privacy, security, and breach notification policies and compliance activities.