PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

First OCR Enforcement of HIPAA’s Right of Access

Daniel Solove @danielsolove
Founder of TeachPrivacy
September 16, 2019

HIPAA Right to Access

Days after my recent blog post on the HIPAA Right of Access, the OCR released details of their first enforcement action for violation of the Right of Access.

The complaint, received in August 2018, involved a mother who waited over 9 months to receive prenatal records from Bayfront Health in St. Petersburg.  She requested the records of her unborn child in October 2017 and after receiving incomplete records in March 2018, she did not receive the complete records until August 2018 (via her lawyers).  It was not until after the OCR’s investigation in February 2019 that she received the complete records directly.  HIPAA requires medical records to be provided within 30 days of the request.

The OCR concluded that Bayfront violated 45 C.F.R. § 164.524 by failing to provide access to PHI. Bayfront has paid $85,000 and agreed to a corrective action plan.  The corrective actions include written policies and procedures around access rights, increased training and incident reporting among others.

I applaud the OCR bringing this case, but it is quite shocking that this is the first enforcement action with a fine for a violation of the right to access in HIPAA’s history.  More than 15 years went by before this single action.  A lot more enforcement must start happening.

Related Blog Posts

Daniel J. Solove, The Failure of HIPAA’s Right of Access

Daniel J. Solove, Patient Access to Medical Records Under HIPAA: Significant Reform Needed

Daniel J. Solove, HIPAA’s Failure to Provide Enough Patient Control Over Medical Records

Daniel J. Solove, The Persistent Problems with Access to Records Under HIPAA

Daniel J. Solove, Yes, HIPAA Requires Medical Records to Be Emailed to Patients if Requested

 

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals. 

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*  LinkedIn Influencer blog
*  Twitter
*  Newsletter

TeachPrivacy HIPAA privacy and security training 08

 

Save

Save