HIPAA Right of Access, HIPAA Violation, HIPAA Privacy Rule, HIPAA fines

Recent HIPAA Right of Access Violation Leads to Behavioral Health HIPAA Fine


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

On March 28, 2022, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that it had reached settlement agreements with four healthcare providers for HIPAA violations related to the HIPAA Right of Access initiative. To settle violations of the HIPAA Privacy Rule, all four providers agreed to implement corrective action plans and pay HIPAA fines.

What is the HIPAA Right of Access Initiative?

In 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR)  prioritized the enforcement of the HIPAA right of access standard. Since then, the HHS OCR has issued more than twenty-five fines to healthcare providers that failed to comply with the standard.

How can you ensure that your practice adheres to the HIPAA right of access standard? It is essential to have HIPAA policies and procedures to comply with the standard that dictate the right of access requirements. It is also crucial that staff members are trained on these policies and procedures to know their obligations.

Under the right of access standard, patients can request copies of medical files contained in their “designated record set.” One exception, psychotherapy notes are permitted to be excluded. Healthcare providers have thirty days from a patient’s request to provide copies of the records to the patient in the format requested (i.e., paper records, USB, CD).

Behavioral Health Practice Comes to OCR Settlement Agreement

On November 23, 2018, a patient submitted a complaint to the OCR claiming that she repeatedly requested access to a copy of her medical records from Jacob & Associates with no response. She made her first request by mail on July 1, 2013, and she sent subsequent requests each year following, until reporting Jacob & Associates in 2018.

The HHS’ investigation revealed that her most recent mailed request for the records was on July 1, 2018, still with no response. She then resubmitted the request by fax and was provided a complete copy of her medical records on May 16, 2019, by email. The settlement agreement notes, “…after requiring her to travel to its office to complete its form to exercise her right to access, imposing a flat fee that was not cost-based ($25 per medical records request), and initially providing an incomplete (one page) paper copy of the records.”

In addition to lack of compliance with the HIPAA right of access initiative, Jacob & Associates had not designated a privacy official. Their Notice of Privacy Practices did not adhere to HIPAA Privacy Rule requirements. The case summary offered by the OCR settlement agreement stated, “Jacob & Associates failed to provide timely access, in the form and manner requested, to protected health information about the individual in a designated record set; imposed an unreasonable fee that was not cost-based; and failed to implement policies and procedures regarding the right of access to protected health information.”

To settle potential HIPAA Privacy Rule violations, Jacob & Associates agreed to a $28,000 HIPAA fine and implemented a corrective action plan. In addition to the Jacob & Associates settlement agreement, three dental practices agreed to pay HIPAA fines and submit to corrective action plans. One practice also violated the right of access standard, while the other two violated other provisions of the HIPAA Privacy Rule. The four HIPAA fines announced amounted to $172,000.

This settlement is one of several HIPAA Right of Access Violation cases that have surfaced since the HIPAA Privacy Rule was expanded.

This Article is Contributed by Compliancy Group

Need assistance with HIPAA compliance? Compliancy Group can help!

Is It Time to Earn Your Telehealth Certificate?

Telehealth Compliance Requirements Are Returning

Enforcement is headed our way. Improve staff competency and compliance with evidence-based telehealth BCTP® certificate training. Three levels available. Manage risk and distinguish your services now.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x