Small health care providers settle potential violations of HIPAA ‘right to access’ provision

September 21, 2020

Two small health care providers in Virginia and Colorado have agreed to pay $10,000 and $3,500, respectively, to settle potential violations of the HIPAA Privacy Rule’s “right of access” provision.

The right of access provision requires dental practices and other HIPAA-covered entities to provide to individuals, within 30 days, access to their protected health information when requested ― including the right to inspect or obtain a copy of the information or to direct the entity to transmit a copy of the PHI to a designated person. 

The Office of Civil Rights at the U.S. Department of Health and Human Services has completed seven investigations for potential right of access violations in 2020, all resulting in settlements, including one for $70,000. 

All of the providers, including a specialty family medicine clinic in California and a provider of mental health services in Massachusetts, have also agreed to adopt corrective action plans, which can require the entity to draft policies and procedures, and include one to two years of OCR monitoring. 

OCR’s ‘right of access’ initiative 

“OCR’s enforcement actions are designed to send a message to the health care industry about the importance and necessity of compliance with the HIPAA rules,” the OCR stated in a Sept. 15 news release announcing the recent settlements. The OCR made “right of access” an enforcement priority in 2019. 

The OCR enforces all HIPAA Privacy and Security rules and investigates related complaints. Last year, a dental practice in Dallas, Texas, agreed to pay a settlement of $10,000 to the OCR for potentially disclosing patients’ PHI on social media. Learn how the OCR enforces the HIPAA Privacy and Security rules, including investigation of complaints.

California’s ‘access to records’ laws more stringent

Both HIPAA and state law apply when providing patients with access to their health information. Dental practices and other HIPAA-covered entities must allow a patient to view their information within five days and must provide the patient with a requested copy of their records within 15 calendar days (compared to the 30 days required by the federal HIPAA rule). 

Learn more in the CDA Practice Support resources “Patient Rights Under HIPAA.” Also use the “Patient Request to Access Records Form and Q-and-A,” which includes a customizable records release form.


Was this resource helpful?