The Department of Health and Human Services' Office for Civil Rights settled a HIPAA Right of Access violation with Phoenix Healthcare.
On March 29, 2024, the Office for Civil Rights (OCR) within the Department of Health and Human Services settled a HIPAA Right of Access violation with Phoenix Healthcare for $35,000. This marked the 47th such investigation by OCR that resulted in a financial penalty. The violation arose when Phoenix Healthcare, a multi-facility nursing care organization in Oklahoma, failed to provide a daughter, acting as her mother's personal representative, timely access to her mother's medical records.
Despite multiple requests, it took nearly a year (323 days) to provide the requested records. Following a complaint to OCR, an investigation confirmed Phoenix Healthcare had violated the HIPAA Right of Access provision, which mandates that patients or their personal representatives must receive requested health information within 30 days. Initially, OCR intended to impose a $250,000 penalty on Phoenix Healthcare. However, after the organization contested this decision and an Administrative Law Judge (ALJ) affirmed violations and willful neglect, ordering a reduced penalty of $75,000, Phoenix Healthcare appealed.
Ultimately, OCR agreed to a settlement on the condition that Phoenix does not challenge the decision, revises its HIPAA policies, and conducts training on these policies for its workforce. This incident is one of three OCR HIPAA investigations in 2024 to conclude with a financial penalty.
The HIPAA Right of Access provision gives people the right to access their protected health information (PHI). Covered entities are allowed to charge a reasonable, cost-based fee for providing copies of PHI. This amount is meant to cover only the costs of labor for copying, supplies, and postage, without including costs for search and retrieval of the information.
The provision aims to empower individuals by making sure they have timely access to their health information, typically within 30 days of their request, enabling them to make informed decisions about their health care. The Privacy Rule, while allowing for certain fees, encourages covered entities to provide this access free of charge, especially when the individual's financial situation would make paying the fee difficult.
“Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative,” said OCR Director Melanie Fontes Rainer. “Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions. It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.”
See also: HIPAA Compliant Email: The Definitive Guide
The Office for Civil Rights (OCR) is a division of the HHS responsible for enforcing certain regulations for the protection of privacy and security of health information.
The OCR enforces HIPAA rules by investigating complaints, conducting compliance reviews, and performing education and outreach to foster compliance with the law’s requirements.
OCR settlements serve as a reminder of HIPAA compliance. They also show the consequences of non-compliance.