Right of Access |

Providers & Health Plans Warned To Timely Deliver Requested Records By $100,000 HIPAA Penalty

November 21, 2024

The $100,000 penalty paid by a mental health facility alerts health care providers, health plans and health care clearinghouses (“covered entities”) to the perils of failing to timely deliver health records access as required by the Health Insurance Portability and Accountability Act (“HIPAA”).

The $100,000 civil monetary penalty against California mental health provider Rio Hondo Community Mental Health Center (“Rio Hondo”) announced by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) on October 19, 202 is the fifty-first OCR enforcement action under its HIPAA Right of Access enforcement initiative.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules’ right of access provisions generally require covered entities to provide individuals access to their protected health information within 30 days, with the possibility of one 30-day extension and prohibits charging more than a reasonable, cost-based fee for this access.

The penalty against Rio Hondo resolves an OCR investigation into Rio Hondo over a failure to provide a patient with timely access to their medical records. OCR enforces the right of access and other requirements of the HIPAA Privacy Rule.

OCR launched an investigation after receiving a complaint from a patient that Rio Hondo did not provide timely access to their medical records, despite multiple requests in writing and by telephone.

OCR’s investigation found that it took nearly seven months from the time the patient first requested the records until Rio Hondo provided them.

The patient made multiple telephone calls in July and August 2020, regarding the status of her request, but still did not receive the requested records until it produced the records in response to the investigation.

The late delivery of the records access did not end the enforcement action. Based on the facts, OCR found that Rio Hondo failed to take timely action in response to the patient’s right of access in accordance with the HIPAA Privacy Rule.

In July 2024, OCR issued a Notice of Proposed Determination to impose a $100,000 civil monetary penalty. After Rio Hondo waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination, OCR issued a Notice of Final Determination imposing the penalty.

OCR’s announcement of the penalty includes a strong warning to other covered entities to comply with HIPAA’s access requirements. It quotes OCR Director Melanie Fontes Rainer. As stating:

Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority. Healthcare providers are legally obligated to provide patients with timely access to their medical records. If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.”

With OCR promising to continue to prioritize enforcement, all covered entities should take documented steps to confirm the adequacy of their existing processes to ensure compliance with OCR’s Right of Access guidance and other applicable federal and state legal and ethical requirements like the Employee Retirement Income Security Act (“ERISA”) claims and appeals and Patient Protection and Affordable Care Act (“ACA”) adverse benefit procedures applicable to health plans and State ethical and statutory medical records delivery requirements applicable to providers. Health care providers also should consider including processes for tracking and monitoring access requests in these processes that provide for review every 30 days.Covered entities should keep records of these efforts for the six-year period required by HIPAA’s record retention rules.

Covered entities that receive follow up access requests or otherwise discover a potential failure to timely provide access should engage a HIPAA knowledgeable attorney for help and advice. Obviously, covered entities should correct any oversight promptly by delivering the records access. However legal counsel can assist by helping the covered entity assess if a violation actually occurred, avoid added violations or inflammatory communications or actions that could enhance exposures to complaints or penalties and suggest actions to help mitigate risks of an OCR investigation and penalties. For instance, past enforcement actions suggest a covered entity should consider foregoing requiring payment of charges HIPAA otherwise might allow for the records access to avoid further delay of access that could heighten penalty exposures. Covered entities also should document their delivery of access and their investigation and corrective actions addressing the source of the compliance failure.

The author of this update, Cynthia Marcotte Stamer has worked extensively with covered entities and business associates on these and other HIPAA and other compliance and risk management. If you have questions or need advice or help evaluating or addressing your HIPAA compliance or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

Author of numerous highly regarded works on PBM and other health plan contracting and design, Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with HIPAA and other legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Author of many highly regarded compliance, training and other resources on HIPAA and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership on HIPAA and many other health care, health plan and other health industry matters.

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Health Care | Tagged: Health Care Compliance, Health Care Provider, health care. OCR, Health Plans, HIPAA, Hospital, Medical Records, Physician, Privacy, Right of Access | Permalink
Posted by Cynthia Marcotte Stamer

High Dollar Civil Monetary Penalties Warn HIPAA-Covered Heath Providers, Health Plans & Healthcare Clearinghouses To Ensure Timely Medical Record Access

August 5, 2024

The more than $560,000 in civil monetary penalties (“CMPs”) collected since March by the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) from three HIPAA-covered entities for failing to respond to medical record requests within 30 days as required by the Health Insurance Portability & Accountability Act (“HIPAA”) right of access rule (“Access Rule”) shows patients, their personal representatives and health care providers, health plans, health care clearinghouses (“Covered Entities”) the seriousness of OCR’s commitment to enforcement of the Access Rule.

On August 2, 2024, OCR announced emergency medical provider American Medical Response (“AMR”) paid a $115,200 civil monetary penalty (“AMR CMP”) for waiting 370 days before delivering medical records requested by a patient’s personal representative. OCR’s AMR CMP announcement follows its April 1, 2024 announcement Hackensack Meridian Health, West Caldwell Care Center (“Hackensack Meridian Health”) paid a $100,000 CMP (“HMH CMP”) for waiting 161 days to provide medical records requested by a patient’s personal representative and March 29, 2024 announcement of its agreement to accept payment of $35,000 in satisfaction the previously assessed $250,000 CMP against Phoenix Healthcare LLC d/b/a Green County Care Center (“Phoenix”) for Access Rule violations. With these three actions, OCR collected $565,000 in CMPs for Access Rule violations since March 29, 2024, and has announced a total of 49 high-dollar Access Rule CMP or settlement collections since announcing its Access Rule enforcement initiative in 2019.

OCR’s pursuit of CMPs in excess of $100,000 against each of these three entities for failing to respond to a single request for patient records makes clear OCR’s readiness to investigate and pursue big dollar penalties against Covered Entities for even a single failure to deliver documents to a requesting patient or personal representative. In light of OCR’s clear commitment holding all Covered Entities accountable for Access Rule compliance, all Covered Entities should recognize the importance of timely responding to each access request in accordance with the Access Rule to avoid similar CMP exposure for their organizations.

HIPAA Right Of Access Rule

HIPAA’s Privacy Rule right of access (“Access Rule”) is part of the national standards that HIPAA Privacy, Security, and Breach Notification Rules (“Privacy Rule”) require that Covered Entities and their business associates meet for protecting to protect individuals’ protected health information (“PHI”), limit uses and disclosures of PHI, and give individuals the right to timely access and to obtain a copy of their PHI records and certain other rights. Like other Privacy Rule violations, Access Rule violations can subject a Covered Entity or business associate to expensive HIPAA civil monetary penalties (“CMPs”).

The Access Rule codified in 45 C.F.R. 164.524 generally requires that a Covered Entity to respond to a request from an individual or its personal representative to access or for a copy of protected health information (“PHI”) in any records set of a Covered Entity or its business associate within 30 days of receipt of the individual’s request. OCR Access Rule guidance makes clear OCR views this deadline as the maximum allowed period

The Covered Entity can respond to a right of access request by granting or denying the request in whole or in part, or if it is unable to provide the records within 30 days for a legitimate reason, the Access Rule allows the Covered Entity a one-time 30-day extension of the response timeframe by sending the requestor a written statement of the reasons for the delay and the date within the extended response deadline by which the Covered Entity will complete its action on the request. 45 C.F.R. § 164.524(b)(2).

The Access Rule also contains specific guidance governing the calculation of the allowable fee, if any, the Covered Entity can charge for providing the PHI to a reasonable cost-based fee calculated following the Access Rule. It also sets forth other requirements about the manner and format in which the Covered Entity must deliver the PHI.

OCR is responsible for implementing the Privacy Rules and enforcing non-criminal violations of its requirements. When OCR finds violations of the Access Rule or other HIPAA violations, HIPAA as amended by the HITECH Act,¹ generally authorizes OCR to impose and collect a CMP determined based on the following penalty schedule, with adjustments for inflation:

A minimum of $100 for each violation where the Covered Entity or business associate did not know and, by exercising reasonable diligence, would not have known that it violated the HIPAA provision, provided the total amount of CMPs imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000.
A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.³ The adjusted amounts apply only to CMPs whose violations occurred after November 2, 2015.

$115,200 AMR CMP

According to the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) August 1, 2024 announcement of the AMR CMP, AMR paid OCR the $115,200 AMR CMP after OCR assessed the CMP in a Notice of Final Determination that AMR violated the Access Rule.

The Notice of Final Determination arose from an OCR investigation of a complaint made by an attorney (“the Patient’s Attorney”) on behalf of a patient transported by AMR alleging that AMR failed to provide a patient with timely access to its medical records after many failed attempts by the patient to obtain the records.

According to the Proposed Notice of Determination, the Patient’s Attorney sent AMR a fax on the patient’s behalf on October 31. 2018 asking for copies of a patient’s medical records including, “all billing records pertaining to treatment rendered for 9/15/2015 injury date; Patient Balance Verification; all medical records pertaining to treatment rendered for 9/15/2015 injury date” in electronic format to the patient’s attorney (“access request”). The access request was in writing, signed by the Patient’s Attorney, that clearly identified the Patient’s Attorney and where to send the copy of the Patient’s Attorney’s PHI. The Patient’s Attorney received a fax transmission report reflecting that AMR received her request on October 31, 2018. Although AMR uses an electronic health record (EHR) for its medical records and maintains the Patient’s Attorney’s requested PHI in its HER, it did not respond to this request by November 30, 2018, the date 30 days from receipt.

On November 8, 2018, the Patient’s Attorney also mailed a copy of her October 31, 2018, access request to AMR’s Seattle, Washington office via certified mail and received confirmation of delivery on November 13, 2018 from the United States Postal Service. The Patient’s Attorney also subsequently sent two follow-up requests for the PHI records on January 24, 2019.

Although AMR’s electronic medical record confirmed AMR received these requests, AMR did not respond to the Patient’s Attorney’s request until March 1, 2019, 121 days after the initial request, when AMR sent the Patient’s Attorney an invoice requiring payment of an access fee before AMR would provide the requested records to Complainant.

On March 18, 2019, the Patient’s Attorney then sent AMR another follow-up letter that reiterated the Patient’s Attorney’s multiple access requests and advised AMR that if AMR did not send the PHI to the Patient’s Attorney electronically within seven days the Patient’s Attorney would file a complaint with OCR. Since AMR failed to deliver the requested records in electronic format within the specified period, the Patient’s Attorney filed a complaint with OCR on July 29, 2019, alleging that AMR violated the Access Rule by failing to provide a copy of the patient’s PHI in response to the Patient’s Attorney’s multiple access requests.

OCR’s October, 2019 investigation found AMR repeatedly failed to timely respond to the patient’s access request even though AMR had procedures in place for processing individuals’ written access requests.

In response to OCR’s investigation, AMR sent the requested records to the Patient’s Attorney on November 5, 2019, 370 days after the Patient’s Attorney’s initial request.

In response to OCR’s investigation, AMR also amended its internal procedures to streamline and better track access requests. OCR notified AMR of the results of OCR’s investigation on August 3, 2021, and offered AMR an opportunity to resolve the matter informally. Rather than accepting this offer, however, AMR responded to OCR through counsel on August 9, 2021, asking OCR to “reconsider its position” without providing a counteroffer or otherwise engaging in negotiations with OCR. While OCR did not disclose the terms of its proposed offer of resolution, acceptance of this offer presumably would have allowed AMR to resolve the charges for an amount less than the $115,200 CMP ultimately imposed.

OCR then sent an April 15, 2022 Letter of Opportunity (LOO) to AMR, which informed AMR that OCR’s investigation indicated that AMR violated HIPAA’s Access Rule and providing AMR with an opportunity to submit written evidence of mitigating factors and affirmative defenses to this violation as well as evidence to support a waiver of a CMP for violating the Access Rule. OCR determined AMR’s May 16, 2022 response to the LOO did not support any affirmative defense to the charges or grounds for waiver of the CMP but weighed AMR’s LOO response alleging mitigating factors in determining the amount of the CMP.

Based on these factual findings, OCR sent AMER a Notice of Proposed Determination that announced OCR’s intent to impose the $155,200 AMR CMP for its violation of the Access Rule by failing to provide timely access to the Patient’s Attorney after receiving her lawful requests.

Finding the Reasonable Cause penalty tier applicable for purposes of determining the CMP for AMR’s Access Rule violation from December 1, 2018, to February 28, 2019, OCR calculated the AMR CMP as follows: $39,680 CMP Calendar Year 2018 (31 days from 12/1/18-12/31/18 at $1,280 per day); plus $75.520 CMP Calendar Year 2019 (59 days from 1/1/19 to 2//19, at $1,280 per day) = $115,200 Total CMP

While AMR argued that OCR should exercise its discretion and choose not to apply any CMPs because of “multiple mitigating factors, OCR determined AMR’s arguments factually inaccurate and not meriting change of the CMP assessment from the reasonable cause level. Accordingly, OCR refused to reduce the original $115,200 based on alleged mitigating factors.

After AMR did not challenge the determinations of OCR in the Notice of Proposed Determination within the allowed period, OCR issued the Final Notice of Determination imposing the $115,200 AMR CMP and AMR paid that amount.

Since as early as 2016, OCR has made Access Rule enforcement a priority. Along with its assessment of the AMR CMP, OCR’s commitment to continued Access Rule enforcement is demonstrated by the 48 other previously announced Access Rule enforcement actions through July 31, 2024.

$100,000 Hackensack Meridian Health CMP

Before it collected the AMR CMP, on April 1, 2024, OCR already had announced its collection of a $100,000 CMP from a New Jersey skilled nursing facility for violating the Access Rule in April.

Essex Residential Care, LLC, doing business as Hackensack Meridian Health, West Caldwell Care Center (“HMH”) is a skilled nursing facility that provides long-term care and rehabilitation services.

In May 2020, OCR received a complaint alleging that HMH failed to provide a personal representative with access to his mother’s medical records even after HMH received sufficient documentation that the patient’s son who requested the records as his mother’s personal representative.

OCR found that HMH failed to respond timely to a HIPAA right of access request. In September 2023, OCR issued a Notice of Proposed Determination (“HMHPD”) seeking to impose the $100,000 civil money penalty. When HMH waived its right to a hearing and did not contest OCR’s findings, OCR finalized the Notice of Final Determination imposing the $100,000 CMP.

The OCR investigation found that when Peter Lindsay originally requested copies of the medical records of his mother, Lois Lindsey (“mother”) from WCCC in an April 19, 2020 email, WCCC responded with an April 22, 2020 e-mail denial that requested Mr. Lindsay provide WCCC a copy of a power of attorney, medical proxy or similar document executed by the mother establishing that he was his mother’s personal representative. However, when WCCC still failed to deliver the requested medical records after Mr. Lindsey sent a copy of his mother’s power of attorney via May 23, 2020 e-mail, Mr. Lindsey complained to OCR.

After OCR notified WCCC on October 15, 2020, its investigation of the complaint, WCCC acknowledged that it failed to respond to the complainant’s request for his mother’s medical records within 30 days of receiving the complainant’s written request for the records but still did not deliver the records until December 1, 2020, 161 days after the complainant’s request.

By letter dated March 25, 2022, OCR informed WCCC its investigation found that WCCC failed to provide timely access to protected health information and offered WCCC an opportunity to settle this matter informally. Although OCR’s letter encouraged WCCC to contact OCR no later than ten days after receipt of the letter, OCR received no response until WCCC responded via e-mail through its attorney on April 29, 2022, that WCCC disagreed with OCR’s proposed resolution, OCR received an email correspondence from the WCCC’s attorney stating WCCC’s disagreement with OCR’s proposed resolution. OCR then responded by issuing a May 16, 2022 Letter of Opportunity (LOO) informing WCCC that OCR found preliminary indications of non-compliance and providing WCCC with an opportunity to submit written evidence of mitigating factors, affirmative defenses, or waiver factors for OCR’s consideration in determining the CMP amount.

In the June 15, 2022 response to the LOO sent by WCCC’s attorney, WCCC acknowledged receipt of both the April 19, 2020, medical record request and the power of attorney emailed on April 23, 2020. WCCC also admitted that instead of providing Mr. Lindsay with the requested medical record, WCCC instead sent a copy of the mother’s medical records to another facility to which Ms. Lindsay was transferred. WCCC’s attorney admitted WCCC should have handled the request differently but indicated at the time of the original request, both Mr. Lindsey and his mother were parties to ongoing litigation with WCCC over non-payment for care, that WCCC also was struggling with the COVID-19 pandemic, that Mr. Lindsey filed his complaint with OCR exactly 30 days after his e-mailed request before WCCC’s response to the initial request was due and asserted several affirmative defenses it claimed excused WCCC’s failure to provide the medical documents.

Based on the above findings of fact, OCR calculated the WCCC CMP at the reasonable cause not corrected tier for WCCC’s failure to provide the requested medical records from June 23, 2020, to December 1, 2020.

WCCC also asserted various affirmative defenses and a right of waiver to avoid or mitigate the amount of the WCCC CMP, all of which OCR found unpersuasive.

Regarding WCCC’s assertion that HIPAA barred imposition of a CMP in this case, as a matter of law, under the HIPAA affirmative defense for a violation not due to willful neglect and timely corrected, OCR determined that the affirmative defense did not apply as WCCC did not timely correct the violation.
OCR also rejected WCCC’s assertion that imposition of a CMP under these circumstances would be arbitrary and capricious and violate the Administrative Procedure Act (the Patient’s AttorneyA).
OCR likewise found rejected WCCC’s claim that OCR should waive any possible CMP because assessment of the CMP would be excessive as WCCC only failed to timely respond to a single request for records access, submitted amidine the midst of litigation with the requesting party during the COVID-19 pandemic and WCCC’s personnel mistakenly believed that an appropriate, timely response to the complainant’s medical record request had been made through the transfer of the patient to another facility.

After WCCC waived its right to challenge these OCR determinations in an administrative hearing, OCR issued the Notice of Final Determination on January 12, 2024, which OCR publicly announced on April 1, 2024.

Phoenix CMP Settlement

OCR’s WCCC CMP announcement came only three days after OCR announced a settlement with Phoenix under which OCR accepted and collected $35,000.00 (“Settlement Amount”) from Phoenix in full satisfaction of a $250,000 CMP under a March 30, 2021 Notice of Final Determination issued against Phoenix for willful violation of the Access Rule.

The Phoenix CMP and resulting settlement arose from OCR’s investigation of a right of access complaint filed against the Oklahoma multi-facility nursing care organization by a patient’s daughter in April 2019 that Phoenix would not provide the daughter, who serves as a personal representative, with a copy of her mother’s medical records. After Phoenix eventually sent the requested records 323 days after the request on January 30, 2020 and only after OCR attempts to get the records through technical assistance and other efforts, OCR notified Phoenix of its intention to impose a $250,000 civil money penalty (“Phoenix CMP”) against Phoenix for willful violation of the Access Rule along with violations of HIPAA’s business associate requirements.

Rather than accede to OCR’s proposed imposition of the $250,000 Phoenix CMP, however, Phoenix chose to challenge the proposed Phoenix CMP to an administrative law judge (“ALJ”) in the Civil Remedies Division of the Departmental Appeals Board (“DAB”) of HHS. In Decision No. CR6232, the ALJ on February 16, 2023, upheld the Access Rule violations cited by OCR and OCR’s determinations that Phoenix acted with willful neglect in committing the violations, but reduced the Phoenix CMP amount from the $250,000 proposed by OCR to $75,000.

Despite the ALJ’s reduction of the Phoenix CMP, Phoenix then unsuccessfully challenged the ALJ’s determinations. On August 4, 2023, the HHS Departmental Appeals Board upheld the ALJ’s decision to uphold OCR’s determinations that Phoenix acted with willful neglect in violating the Access Rule and imposition of the reduced $75,000 CMP.

When Phoenix threatened to appeal this determination in federal court and presented evidence of “financial hardship, however, OCR agreed “as a compromise based on the unique facts and circumstances of this matter,” to accept in full satisfaction of the $75,000 CMP assessed due and owing by Phoenix under ALJ Decision affirmed by DAB Decision No. 3105 and DAB Decisions No. CR6232 in return for Phoenix’s payment of the $35,000 Settlement Amount and Phoenix’s agreement not to further challenge OCR’s assessment and to revise its HIPAA Policies and Procedures to address the Access Rule and business associate agreement requirements, training, and other compliance.

Right Of Access Enforcement Takeaways

OCR’s pursuit of CMPs for Access Rule violations against AMR, WCCC and Phoenix, along with the 46 Access Rule settlements announced by OCR before the Phoenix Settlement makes clear OCR takes seriously and stands prepared to assess substantial CMPs against Covered Entities that violate the Access Rule.

Like the 46 Access Rule settlements OCR previously announced, the circumstances surrounding the assessment of the AMR CMP and other Access Right Enforcement actions contain several important lessons for Covered Entities and business associates including:

Ensuring Covered Entities appropriately track and timely respond to access requests is critical;
Failing to provide timely response to even a single access request can trigger a significant CMP;
The existence or expectation of a lawsuit or other dispute with the patient or patient’s personal representative does not justify delay or refusal timely to provide requested medical records within 30 days;
While Covered Entities and business associates have a duty to verify a family member, attorney or other party requesting medical records on behalf of a patient is the personal representative, a Covered Entity is responsible for verifying this and delivering the requested medical records promptly following receipt of a request;
If a Covered Entity or business associate intends to charge to provide requested medical records in response to an access request, ensure that the proposed charge is calculated following the Access Rule, notification is delivered within 30 days of the original request and deliver the medical records promptly after the payment is received;
Providing requested medical records to another health care provider or other party does not excuse or substitute for providing the medical records to the requesting patient or personal representative;
A Covered Entity that fails to meet the 30-day deadline for responding to an access request should fix the problem promptly by delivering the documents as soon as possible and taking documented corrective action to prevent future noncompliance;
A Covered Entity or business associate that already has not responded within 30 days of receipt of an access request should not withhold delivery of the requested PHI pending the requestor’s payment of the minimal allowed charge that it could have imposed had it timely responded to the access request within 30 days; and
Consider carefully before declining an offer from OCR to settle through informal resolution.

Covered Entities and business associates also should keep in mind other potentially applicable legal or ethical requirements to provide medical records. For instance, state medical licensure and ethics rules typically require physicians and other health care providers to provide copies of medical records or other materials that also qualify as protected health information under HIPAA. Likewise, the Employee Retirement Income Security Act, state insurance rules and other federal or state laws also may require health plans and their insurers, administrators and others with timely access to medical or other records that also are protected heath information under HIPAA. Covered Entities and business associates should ensure that all applicable deadlines are met and that any charges imposed satisfy all applicable requirements.

Covered Entities and business associates also should keep in mind that the Access Rule is only one of several areas of HIPAA enforcement prioritized by OCR that can trigger costly CMPs. Since HIPAA took effect in April 2003 through April 2024, OCR has:

Received and resolved 99 percent of the more than 358,975 HIPAA complaints and the more than 1,188 OCR-initiated compliance reviews;
Required changes in privacy practices and corrective actions in more than 30,839 cases investigated;
Settled or imposed a civil money penalty in 145 cases resulting in a total dollar amount of $142,663,772.00; and
OCR referred 2,197 to the Department of Justice (DOJ) for criminal investigation of cases involving the knowing disclosure or obtaining of protected health information in violation of HIPAA.

The compliance issues most often alleged in complaints cumulatively, in order of frequency through April, 2024 have remained consistent across the 20 years since HIPAA became effective. They include cumulative in order of frequency:

Impermissible uses and disclosures of protected health information;
Lack of safeguards of protected health information;
Lack of patient access to their protected health information;
Lack of administrative safeguards of electronic protected health information; and
Use or disclosure of more than the minimum necessary protected health information.

While health care providers are the type of Covered Entity most often subjected to enforcement, OCR data confirms OCR investigations and enforcement has impacted all types of Covered Entities and business associates. According to this data, the categories of Covered Entities OCR investigations have found to have committed violations are, in order of frequency:

General Hospitals;
Private Practices and Physicians;
Pharmacies;
Outpatient Facilities; and
Group Health Plans.

Additionally, while Group Health Plans as a group have the fewest compliance violations to date, OCR enforcement data confirms OCR’s investigation and enforcement of Access Rule violations against Group Health Plans, as well as that Group Health Plans and their business associates historically account for violations of the HIPAA security rules for the protection of electronic health information affecting millions of Americans. With OCR’s even further heightening its prioritization of HIPAA’s security rule oversight and enforcement in response to massive breaches of electronic protected health information systems and data that triggered widespread disruptions of care and payment systems reported by UnitedHealthcare Group’s Change Health, Ascension Health, and others, and recent OCR guidance requiring to update their Notices of Privacy Practices, all Covered Entities and their business associates should ensure seize the opportunity to re-verify the defensibility of their organization’s Access Rule, Security Rule and other HIPAA compliance.