HIPAA Right of Access initiative results in serious enforcement actions

CJ Wolf, MD provides enforcement action summaries for the YouCompli blog. These summaries provide real-world examples of regulators’ response to practices that don’t fully comply with regulations. This month’s article looks at privacy enforcement actions.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) isn’t kidding around with its multi-year HIPAA Right of Access Initiative.

“It should not take a federal investigation before a HIPAA–covered entity provides a parent with access to their child’s medical records,” said Former OCR Acting Director Robinsue Frohboese in June 2021. “Covered entities owe it to their patients to provide timely access to medical records.”

Example Settlements 

Request for minor child’s clinic records: Frohboese’s remarks were in response to a settlement with a diabetes clinic. The violation involved a mother requesting access to her minor child’s protected health information (PHI). The mother filed a complaint with OCR, and didn’t receive the requested record until nearly two years after her initial request. In this case, the settlement amount was $5,000, and the practice agreed to a two-year corrective action plan (CAP).  

Request for unborn child’s records: The Initiative’s first settlement was in 2019. In that case, Bayfront Health St. Petersburg settled with OCR for $85,000 and agreed to a one-year CAP. The agreement resolved allegations that Bayfront failed to provide a mother timely access to records about her unborn child. The mother complained to OCR. She finally received the requested information nine months after the initial request. Note that HIPAA historically has required that records be provided within 30 days, and new rules tighten that window. (Related: HIPAA Rule Updates require records to be provided within 15 days.)

Request for minor child’s hospital records: The most recent announcement was on September 10, 2021. It was OCR’s twentieth settlement under the Right of Access Initiative. Children’s Hospital & Medical Center answered allegations that it took too long to fulfill a medical records request. Like the very first settlement, it was a mother requesting records, this time of her minor daughter. According to OCR, the hospital provided some of the records but not all. OCR investigated the complaint and reported that the mother finally received all the records after OCR became involved. The hospital agreed to pay OCR $80,000 and entered a one-year corrective action plan (CAP). 

Request for access for third party: Sometimes the right of access request is not for the parent or patient to receive the records, but rather for the records to be sent to a third party at the patient’s request. For instance, a patient requested that Sharp Healthcare and its medical center send PHI in an electronic health record to a third party. When Sharps didn’t send the record, the patient filed a complaint to OCR. OCR reported that it provided the medical center with technical assistance on the HIPAA Right of Access requirements. Two months later, OCR received another complaint alleging the medical center still hadn’t responded to the patient’s request. OCR then initiated an investigation and determined the medical center had a potential failure to comply with the right of access provision. The medical center agreed to pay $70,000 and enter a two-year CAP.  


Most settlements include a fine and CAP. CAPs can be an additional expense, so the work isn’t over after signing the check for the settlement dollar amount. Most CAPs require entities to: 

  • Develop, maintain, and revise, its written policies and procedures  
  • Implement and distribute the policies and procedures to all appropriate workforce members and provide proof of such distribution 
  • Provide training on the Privacy Rule requirements concerning the individual’s right of access  
  • Ensure workforce members who are required to attend training certify that they have received the training  

Of course, these requirements are best practice anyway for any entity that must grant access to a patient’s PHI when requested. 

OCR is serious about its Right of Access Initiative and provides regular settlement updates online. Many of these investigations involve specific instances of delays in records provisions. Make sure your entire staff understands the urgency of providing records in a timely manner and has the tools to do so (Related: Solving the info-blocking compliance puzzle takes ongoing team effort

Managing regulatory change is a critical way to avoid enforcement actions. YouCompli is the only healthcare compliance solution that combines actionable, regulatory analysis with a simple SaaS workflow to help you mange regulatory change. Read more about our regulatory monitoring process or schedule a demo.

Subscribe for help managing healthcare regulatory changes.

Man typing on laptop