More Healthcare Organizations Penalized by OCR’s HIPAA Right of Access Initiative

April 11, 2022 David Holtzman, JD, CIPP/US/G

The U.S Department of Health and Human Services Office for Civil Rights (OCR) has announced that through March 2002 its HIPAA Right of Access Initiative has resulted in 28 enforcement actions against healthcare organizations and health plans, levying fines and putting into place corrective action plans. In September 2019 OCR announced that it would focus its resources to enforce patients’ rights to receive copies of their health records as well as stop HIPAA-covered entities from overcharging for these medical records.   

What is the Right of Access Initiative? 

The HIPAA Right of Access Initiative is special emphasis OCR has placed on responding to complaints from patients, or their personal representatives, who allege that they have not received their medical records in a timely manner without being charged an amount greater than allowed. Access to health records is a patient’s fundamental right under the HIPAA Privacy Rule. OCR had received numerous complaints that covered entities, including health care providers and health plans were failing to provide timely access, not providing access, or overcharging when receiving requests for patients’ health records. Covered entities and any business associates involved in the provision of access to medical records must ensure that they are following the requirements of the HIPAA Privacy Rule that set forth standards for establishing procedures for when and how access is to be provided. 

What are the Access Requirements? 

The HIPAA Privacy Rule, with limited exceptions, requires that a covered entity provide a patient, or the patient’s personal representative, access to inspect and obtain a copy of protected health information (PHI) held in a designated record set.1  

The covered entity must act on a request for access, or provide copies when a patient seeks their health records no later than 30 days after its receipt of the request. If the covered entity grants the request, it must inform the individual and provide the access requested or copies of the records.  If the request is denied, the covered entity must provide a written denial along with an explanation and information about the appeal rights specified in the Privacy Rule.  If the covered entity is not able to provide or deny access within 30 days, it may extend its response time for an additional 30 days, provided it notifies the individual of the reasons for the delay and the expected date on which it will act on the records request.   

A covered entity is limited to charging only a reasonable, cost-based fee for copies. Some states have laws that specify the precise cost or place additional limitations on fees that a covered entity may charge a patient. OCR has cautioned that although a state’s law may allow a higher fee for producing copies of health records, these charges are preempted by the Privacy Rule’s prohibition on assessing amounts that are more than a covered entity’s actual costs. 

1. Learn more about OCR’s guidance on providing individuals with the ability to access and obtain a copy of their health information.


Takeaways from OCR’s Enforcement Actions 

The Right of Access Initiative is a response to the numerous complaints from patients 

Healthcare organizations have a mixed record of complying with the Privacy Rule’s right of access standard.  OCR reports that the lack of patient access to health records is one of the compliance issues most frequently cited in complaints received about compliance with the Privacy Rule. Enforcement actions taken under the Right of Access Initiative have targeted large and small healthcare organizations including clinical health providers, hospitals, a regional health system, and a major insurer.   

Take voluntary corrective action when receiving a Technical Assistance Letter from OCR 

Typically, OCR provides HIPAA-covered entities the opportunity to take voluntary corrective action to resolve complaints from patients over access to their health information.  A major theme in the Right of Access Initiative enforcement actions is that OCR first sent correspondence to the healthcare organization providing technical assistance on how to comply with the Privacy Rule. It is important to prioritize the “corrective actions” identified in OCR’s correspondence including how does the covered entity enable the access rights of an individual; review policies and procedures for individuals to request and obtain access to PHI and determine whether they comply with the mandated criteria; verify that access was provided consistent with the policies and procedures; and make sure responses were made in a timely manner. 

In many instances, the covered entity did not implement the guidance it had received in OCR’s Technical Assistance Letter. When healthcare organizations failed to take voluntary corrective action, OCR would respond with a lengthy compliance review that would often result in formal compliance action.  The average penalty assessed by OCR against hospitals and health systems in its enforcement actions is over $90,000 in addition to a corrective action plan to implement policies and procedures to comply with the Privacy Rule’s right of access standard.  

The cost of compliance is less than the fines and organizational disruption from enforcement 

Ensuring patient access to their treatment records as well as opening more avenues for consumers to control their health information is a major goal shared by the Biden administration and Congress.  Recently implemented Information Blocking and Interoperability regulations expand how patients access and manage the use of their electronic health information was mandated by the 21st Century Cures Act.  HHS is also prioritizing patient access through enforcing HIPAA’s existing standards which guarantee these rights and has proposed new rules to expand them.  

Learn more about CynergisTek’s services for healthcare organizations to assess compliance with the HIPAA Privacy Rule, mitigate gaps in policies and procedures, and provide staffing to manage their privacy program. 

About the Author

David Holtzman, JD, CIPP/US/G

David Holtzman is the founder of HITprivacy LLC where he advises public and private organizations on health information privacy and security. He is a sought-after commentator and speaker on changes to privacy law impacting the healthcare industry. David previously served on the health information privacy team at HHS/OCR. There he led many OCR initiatives including integration of the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David went on to provide thought leadership and consulting services with CynergisTek Security. He is a member of the HHS CISA 405-d Workgroup and the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council.

Follow on Linkedin Visit Website
Previous Article
How CynergisTek’s Continuous Risk Monitoring Program Is Helping Address Cybersecurity Challenges
How CynergisTek’s Continuous Risk Monitoring Program Is Helping Address Cybersecurity Challenges

Community and rural hospitals are facing a cybersecurity crisis as many cannot afford to keep their IT depa...

Next Article
Deadline for Small Breach Reporting to OCR is Here
Deadline for Small Breach Reporting to OCR is Here

The deadline for reporting small breaches to OCR for the calendar year 2021 is here.


Subscribe to Our Monthly Cyber Bulletins with the Latest News, Tips and More!

First Name
Last Name
Thank You!
Error - something went wrong!