OCR Holds Healthcare Provider Accountable for HIPAA Right of Access

Photograph of wooden blocks that spell HIPAA

OCR Resolves HIPAA Right of Access Investigation

A primary care provider in Florida recently paid $20,000 for failing to release medical records in a designated timeframe of no more than 60 days. Instead, it took five months for a woman, acting as a personal representative on behalf of her deceased father, to get all the records that she’d requested. And that was only after the Office for Civil Rights (OCR) investigated her complaint.

Know Who’s Entitled to Patient Information

“For many years, PrivaPlan has encouraged our healthcare customers to comply with the rights of a patient’s personal representative to access the patient’s protected health information,” PrivaPlan CEO David Ginsberg said, noting that this can be confusing in the case of a deceased patient, as the settlement against the primary care provider might indicate. On Dec. 15, 2022, Health Specialists of Central Florida Inc. paid the settlement to the OCR and agreed to implement a corrective action plan that includes two years of monitoring.

“Spouses, children, or other dependents of a deceased patient may be a personal representative,” Ginsberg explained. “In some states, such as California, the executor of the deceased’s estate is a personal representative, and, if there is a valid authorization in place, it must be followed. Even non-legally defined personal representatives who were involved in the care of a deceased patient may be entitled to limited patient information, as enacted with the 2013 HIPAA Omnibus Rule.”

Know When to Take Action

That was not the case when the daughter filed her complaint in August 2019, alleging that the provider failed to give her timely access to the requested medical records, despite multiple requests. OCR’s investigation determined that this was a potential violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable).

“The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously. “We will continue to ensure that health care providers and health plans take this right seriously and follow the law,” said OCR Director, Melanie Fontes Rainer.

Know What to Do with the HIPAA Right of Access Initiative

This investigation marks the 42nd case to be resolved under OCR’s HIPAA Right of Access Initiative, designed to improve compliance by regulated entities with the law. Don’t be the 43rd case. Contact the HIPAA experts at PrivaPlan to learn more and make sure your covered entity is always compliant.

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.