Banner Health agrees to pay $200k to settle potential HIPAA violations

The Office of Civil Rights continues to make good on its promise to "vigorously enforce" the right of patients to get timely access to their medical records.
By Kat Jercich
03:21 PM

HHS OCR Director Roger Severino (Photo by Aaron P. Bernstein/Getty Images)

The U.S. Department of Health and Human Services Office of Civil Rights announced on Tuesday that Banner Health had agreed to pay $200,000 to settle potential violations of the HIPAA Privacy Rule's right of access standard.

The Phoenix, Arizona-based health system operates 30 hospitals, in addition to its numerous primary care, urgent care and specialty care facilities. It had been accused of failing to provide individuals access to their medical records in a timely fashion.


According to a press release, OCR had received two complaints regarding Banner Health's affiliated covered entities.  

In the first, an individual claimed that she had requested access to her medical records in December 2017 and did not receive them until May 2018. 

In the second, a person said that it took until February 2020 for a Banner Health affiliate to send an electronic copy of his records that he requested in September 2019.  

"OCR’s investigations determined that Banner Health ACE entities’ failure to provide timely access to the requested medical records were potential violations of the HIPAA right of access standard," noted the press release.  

Banner also agreed to undertake a corrective action plan that includes two years of monitoring.  


The settlement is the 14th action in OCR's Right of Access Initiative, in which the agency promised to "vigorously enforce" the rights of patients to get timely copies of their medical records without being overcharged.

Most recently, this past month, a Georgia-based practice Elite Primary Care agreed to take corrective actions and pay $36,000 to settle a potential violation of the HIPAA Privacy Rule.  

As Healthcare IT News' Mike Miliard reports, the enforcements come on the heels of proposed rulemaking from OCR that would overhaul some aspects of the HIPAA Privacy Rule. The agency's potential changes include shortening covered entities' required response time to no later than 15 calendar days (from the current 30 days), clarifying the form and format required for responding to requests for protected health information, requiring covered entities to inform patients about their right to obtain or to direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy, and reducing the identity-verification burden on individuals exercising their access rights.


"This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records," said OCR Director Roger Severino.

Kat Jercich is senior editor of Healthcare IT News.

Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.