HIPAA: Access to Records


By Elizabeth Hogue, Esq.

A key purpose of the Health Insurance Portability and Accountability Act (HIPAA) is certainly to protect patient information.
Another is to help ensure that patients have access to their health information. In fact, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services, the primary enforcer of HIPAA, has focused on enforcement actions against providers that do not make information available to patients on a timely basis. OCR launched a right to access enforcement initiative in 2019 that is continuing.


Providers must give medical information to patients and their representatives within thirty days of requests. When they fail to do so, they may be subject to enforcement action by OCR. Following are two examples of recent enforcement actions. 


OCR announced on April 1, 2024, that Essex Residential Care in New Jersey will pay a civil money penalty of $100,000 to resolve violation of HIPAA’s right of access standard. This is the 48th settlement reached under the right of access initiative. OCR received a complaint in May of 2020 from the personal representative of the estate of a patient who passed away. Following an investigation by OCR, the personal representative, who was the son of the patient, received the records in November of 2020. The provider did not contest the fine. 


In another recent case, the daughter of a patient who passed away was appointed as the personal representative of her mother’s estate. She made multiple requests to Phoenix Healthcare for a copy of her mother’s medical records. She finally received the records one year after her initial request. Phoenix Healthcare initially received a civil money penalty of $250,000 for failure to provide timely access. 


The provider appealed. An administrative law judge (ALJ) upheld the violation and ordered Phoenix to pay a civil money penalty of $75,000. The Departmental Appeals Board affirmed the ALJ’s decision. Then Phoenix agreed to settle for $35,000 and waived the right to further appeals. While it may seem in this case that the provider’s appeals significantly lowered its costs, it is important to note that the provider also undoubtedly expended significant resources on two appeals of OCR’s enforcement action. 


Providers have placed a great deal of time and effort into the protection of healthcare information in compliance with HIPAA. Rightfully so, but providers seem to have lost sight of the fact that HIPAA is also about ensuring that patients and their representatives have timely access to their records. Now is the time for providers to conduct intensive education of staff members about HIPAA’s requirements regarding access in order to avoid enforcement actions like those described above. 


©2024 Elizabeth E. Hogue, Esq. All rights reserved. 

No portion of this material may be reproduced in any form without the advance written permission of the author.