OCR Sanction Of 44th Health Care Provider For Violating HIPAA Right of Access Rules Warning To Other Covered Entities

Health care providers, health plans, healthcare clearinghouses (“Covered Entities”) and their business associates, plan sponsors and fiduciaries, and leaders confirm the defensibility of their practices for responding to patient record requests in light of the schooling licensed professional counselor David Mente, MA, LPC (“Mente”) and other 43 other unrelated health care providers already have received from the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) for allegedly violating the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule’s right of access provision.

HIPAA’s right of access rule requires Covered Entities to give patients or their personal representatives’ timely access to their protected health information within the time frames and other requirements of HIPAA’s right of access rules. The obligation generally applies to requests made by a patient or his or her personal representative. Covered Entities must ensure prompt and timely delivery of required health care records within the required time frame, whether the records are in the custody of the Covered Entity or a business associate. Beyond timely delivery, Covered Entities and, where applicable, business associates also must use appropriate processes to verify the identity of the patient or personal representative requesting the records, must generally deliver the records in the required format requested by the requesting patient or personal representative and cannot charge more than the allowable amount permitted by the rule. Covered Entities face potentially substantial HIPAA penalties for violating these requirements in addition to any applicable penalties a health care provider may face under applicable Board of Medicine or other health care laws or a health plan might face under the Employee Retirement Income Security Act (“ERISA”) or other laws. OCR has made enforcement of the right of access rule a priority under its Right of Access Initiative because of widespread noncompliance with the rule by health care providers.

A HIPAA settlement with Mente announced May 8, 2023 marks the 44th case where a Covered Entity investigated under OCR’s HIPAA Right of Access Initiative. The investigation that resulted in the settlement with Mente arose from a December 2017 complaint filed with OCR alleging that Mente would not provide a father (personal representative) with a copy of his three minor children’s medical records. OCR initially provided technical assistance to Mente on the requirements of the HIPAA Privacy Rule’s right of access requirements and closed the complaint. When the father subsequently requested his children’s records again in April 2018, and despite OCR’s prior technical assistance, Mente still failed to respond to the request, leading to the father filing a second complaint. OCR’s investigation of this complaint determined that Mente’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. Under the resolution agreement (RA), As part of the CAP, Mente provided the father with all requested records in its possession. Mente must respond to the right of access request without delay, implement a corrective action plan (CAP) to be in compliance with the HIPAA Privacy Rule and pay a resolution amount of $15,000.

The Mente resolution is not unique. OCR also has sanctioned other health care providers. For instance, in September 2023, OCR announced right of access violation investigations resulting in settlements with three separate dental practices:

  • Family Dental Care, P.C. (“FDC”), a dental practice located in Chicago, Illinois. OCR received a complaint on August 8, 2020, alleging that FDC failed to provide a former patient with timely access to her complete medical records. The former patient requested her entire medical records in May 2020, but received only portions.  The former patient filed a complaint with OCR, and during OCR’s investigation, FDC provided her with the remainder of her records in October 2020. Thus, FDC did not provide a complete copy of the records until more than five months after the request was made. OCR’s investigation determined that FDC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. FDC agreed to pay $30,000 and implement a corrective action plan.
  • Great Expressions Dental Center of Georgia, P.C. (“GEDC-GA”), a dental and orthodontics provider with multiple locations throughout the state of Georgia. In November 2020, OCR received a complaint alleging that GEDC-GA would not provide an individual with copies of her medical records because she would not pay GEDC-GA’s $170 copying fee. The individual first requested her records in November 2019, but did not receive them until February 2021, over a year later. OCR’s investigation determined that GEDC-GA’s failure to provide timely access to the requested medical records, and its practice of assessing copying fees that were not reasonable and cost-based, were potential violations of the HIPAA right of access provision. GEDC-GA agreed to pay $80,000 and implement a corrective action plan.
  • B. Steven L. Hardy, D.D.S., LTD, doing business as Paradise Family Dental (“Paradise”), a dental practice in Las Vegas, Nevada.  On October 26, 2020, OCR received a complaint alleging that Paradise had failed to provide a mother with copies of her and her minor child’s protected health information. The mother submitted multiple record requests between April 11, 2020, and December 4, 2020, but Paradise did not send the records until December 31, 2020, more than eight months after her initial request. OCR’s investigation determined that Paradise’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. Paradise agreed to pay $25,000 and implement a corrective action plan.

OCR’s announcement of its findings and the resulting settlement agreement with Mente caution other Covered Entities to comply with the right of access rules. “Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer. “It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records.  HIPAA-regulated entities should be proactive and work to ensure patients and their representatives can access records.”

Health care providers and other Covered Entities and their business associates are urged to review their existing practices for receiving and processing patient record requests to confirm their own compliance with HIPAA right of access and other applicable federal and state statutory regulatory and contractual requirements.

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:


If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: