Feds settle five HIPAA right of access cases

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has settled five investigation in its HIPAA Right to Access Initiative announced as a priority in 2019.

According to a news release, these five settlements bring the total number of completed enforcement actions as part of the initiative. The five organizations which were targeted by the investigations are required to pay fines ranging from $3,500 to $70,000 and to adopt corrective action plans, including observation periods.

Each was accused of either denying or failing to respond to a request from patients to access or inspect their own medical records; a possible violation of the HIPAA Privacy Rule’s right of access provision, the release says.

These enforcement actions are designed to send a message to members of the healthcare industry about the importance and necessity of complying with HIPAA rules. OCR takes a number of factors into account when determining settlement amounts including the nature and extent of the harm resulting from the potential violations, the organization’s history of compliance with HIPAA, the organization’s financial condition, and other matters, the release says.

"Patients can't take charge of their health care decisions, without timely access to their own medical information," OCR Director Roger Severino says in the release. "Today's announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough."

In April, OCR said it would ease HIPAA enforcement during the COVID-19 coronavirus pandemic and would not impose penalties for violations of certain provisions of the privacy rule the good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities.

The acts described in the complaints pre-date the onset of the public health emergency.