OCR Settles resolves 3 HIPAA Right of Access Violation Cases

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the conclusion of three investigations into alleged violations of the Health Insurance Portability and Accountability Act’ Privacy Rule’s patient right of access provision. Under the Privacy Rule, patients are awarded a fundamental right to receive their medical records within 30 days from the date of request. The cases are a part of a larger initiative to promote compliance with the legal right of access, which now amounts to 41 in total. 

The first case involved Chicago, Illinois-based Family Dental Care (FDC). On August 8, 2020, the OCR received a complaint stating that FDC had failed to give a former patient access to all of her medical records within an appropriate time period. In May 2020, the patient had made the request, however, had only received some parts of the medical data. Following this, the patient filed a complaint to the OCR which prompted an investigation into the incident. During the investigation, the FDC had provided the patient with her complete records in October 2020, five months after the initial request. The OCR’s investigation, the FDC were found to have violated the HIPAA right of access provision and were ordered to pay a $30,000 fine along with the implementation of a corrective action plan. 

The second case concerned a Georgia-based dental provider Great Expressions Dental Center of Georgia (GEDC-GA). The OCR had received a complaint in November 2020, alleging that GEDC-GA had failed to provide a patient their medical records within a timely manner as the patient refused to pay the GEDC-GA a $170 copying fee. The patient finally received her medical records in February 2021, a year on from her initial request. An investigation was then conducted by the OCR who determined that GEDC-GA was in violation of HIPAA’s right of access laws on account of their failure to provide medical data in a timely manner and their practice of copying fees. GEDC-GA settled the incident with a $80,000 penalty and the implementation of a corrective action plan. 

The Final case involves Paradise Family Dental (PFD) located in Las Vegas, Nevada. According to the OCR, a complaint was filed against PFD alleging the dental practice had failed to provide a mother with access to her own and her child’s medical records. The mother had made numerous requests for the records between April 11, 2020, and December 4, 2020, however PFD did not send the records until December 31, 2020. PFD were ordered to pay a $25,000 fine and to implement a corrective action plan.