PRIVACY + SECURITY BLOG

News, Developments, and Insights

First OCR Enforcement of HIPAA’s Right of Access

HIPAA Right to Access

Days after my recent blog post on the HIPAA Right of Access, the OCR released details of their first enforcement action for violation of the Right of Access.

The complaint, received in August 2018, involved a mother who waited over 9 months to receive prenatal records from Bayfront Health in St. Petersburg.  She requested the records of her unborn child in October 2017 and after receiving incomplete records in March 2018, she did not receive the complete records until August 2018 (via her lawyers).  It was not until after the OCR’s investigation in February 2019 that she received the complete records directly.  HIPAA requires medical records to be provided within 30 days of the request.

The OCR concluded that Bayfront violated 45 C.F.R. § 164.524 by failing to provide access to PHI. Bayfront has paid $85,000 and agreed to a corrective action plan.  The corrective actions include written policies and procedures around access rights, increased training and incident reporting among others.

I applaud the OCR bringing this case, but it is quite shocking that this is the first enforcement action with a fine for a violation of the right to access in HIPAA’s history.  More than 15 years went by before this single action.  A lot more enforcement must start happening.

Continue Reading

The Failure of HIPAA’s Right of Access

HIPAA Right to Access PHI - TeachPrivacy 02

One of the biggest sore spots in HIPAA compliance has been providing individuals with their right to access their medical records. In addition to the countless anecdotal accounts about the painful process of getting medical records, a recent study demonstrated just how far there is to go for providers to be in compliance.  More than half of medical providers included in the recent medRxiv study did not meet the basic requirements in HIPAA for providing medical records.  A further 20% of the providers would not provide records until requests were escalated to supervisors.  Which means that more than 70% of the subjects studied would not have been in compliance had the supervisors not been involved.

HIPAA provides that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” 45 CFR §164.524

I have written on numerous occasions about patient control of their own records and reforms needed to support this right.  Getting access to medical records doesn’t seem to have improved very much.  Despite HIPAA’s right of access, it doesn’t seem to be taken very seriously by providers.

Continue Reading