Another HIPAA right of access settlement from OCR highlights need for timely response

The Office for Civil Rights' 13th such settlement of the past year-plus comes on the heels of new proposed changes to the HIPAA Privacy Rule that prioritize patient access.
By Mike Miliard
10:05 AM
A Departement of Health and Human Services building

The HHS Office for Civil Rights on Tuesday announced the most recent in a spate of monetary settlements in its HIPAA right of access enforcement.


OCR has made enforcement of patient access a major priority in recent months. In the most recent case, Dr. Peter Wrobel and his Georgia-based practice Elite Primary Care agreed to take corrective actions and pay $36,000 to settle a potential violation of the HIPAA Privacy Rule.

In April 2019, OCR received an allegation that Elite had not responded to a patient's request for access to his medical records. A month later, the agency offered the practice technical assistance on right of access requirements and closed the complaint.

But in October, OCR got another complaint alleging that the patient had still not been given access to their medical records. 

After an investigation, it was determined that Elite's failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. In addition to the settlement money, Elite will enact a corrective action plan and be monitored by OCR for two years.

The patient finally received a copy of his medical record in May 2020 – more than a year since the first request.


Since assessing its first right of access rule settlement in late 2019, OCR has collected more than a dozen separate settlements – ranging in amount from $3,500 to $70,000 – from providers nationwide.

But some patients are still forced to sue to gain access to the medical records that belong to them.

The agency says it will "vigorously enforce" the patients' right to access their data in a timely fashion without being overcharged.

The effort is "about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough," said OCR Director Roger Severino.

These new enforcements come as OCR has issued a new proposed rulemaking that would overhaul some aspects of the HIPAA Privacy Rule – with a concerted focus on patient access.

Among the changes, the agency proposes shortening covered entities' required response time to no later than 15 calendar days (from the current 30 days); clarifying the form and format required for responding to requests for protected health information; requiring covered entities to inform patients about their right to obtain or to direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy; and reducing the identity-verification burden on individuals exercising their access rights.

I spoke recently with Matthew Fisher, a partner at Mirick O'Connell and a specialist in healthcare law, about those proposed HIPAA changes and more, and he spoke in-depth about the recent emphasis on right of access. You can listen to that HIMSScast episode here:


"OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records," said Severino in a statement. "Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee."

Twitter: @MikeMiliardHITN
Email the writer:

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.