The HIPAA Privacy Rule generally requires covered entities to provide individuals access to their “designated record sets” maintained by or for the covered entity, as defined by 45 C.F.R. § 164.501.  There are specific requirements to comply with the HIPAA Privacy Rule’s Right of Access mandate, including methods of providing access, timeliness in providing access, and – when applicable – the methods of denying access to records.  There are few exceptions to the HIPAA Privacy Rule’s Right of Access mandate.

On November 6, 2020, the U.S. Department of Health and Human Services’(HHS) Office of Civil Rights (OCR) announced its tenth settlement involving alleged violations of HIPAA’s record access requirements.  The settlement was part of OCR’s “HIPAA Right of Access Initiative,” which Roger Severino, Director of OCR, has repeatedly described as a top OCR priority.  Just six days later, OCR announced its eleventh settlement regarding alleged violations of HIPAA’s record access requirements.  

According to OCR’s press release, Dr. Rajendra Bhayani did not provide a patient with her medical records after her request in July 2018.  Similar to other HIPAA Right of Access investigations, OCR provided technical assistance to Dr. Bhayani and closed the complaint.  A year later, OCR received a second complaint alleging that Dr. Bhayani had yet to provide the patient with her medical records, and the second investigation was opened resulting in the settlement.

According to the resolution agreement, Dr. Bhayani failed to cooperate with OCR’s investigation and failed to provide the patient with timely access to records.  He agreed to pay $15,000 and to take corrective action as part of the settlement.  While the settlement may appear negligible in contrast to the million-dollar settlements related to HIPAA violations, the settlement reflects OCR’s continued prioritization of HIPAA Right of Access enforcement.  According to Director Severino, “doctor’s offices, large and small, must provide patients their medical records in a timely fashion.  We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.” 

The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with HIPAA related matters, including breach response, breach notification, OCR investigations, and resulting civil litigation.  If you need assistance with such a matter, please contact us today.