OCR’s HIPAA Right of Access Initiative Going Strong After Announcement of 26th and 27th Enforcement Actions

On March 28, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of four Health Insurance Portability and Accountability Act (HIPAA) enforcement actions. Two of the actions relate to OCR’s HIPAA Right of Access Initiative, while the other two involve incidents where healthcare providers impermissibly disclosed their patients’ protected health information (PHI).

The two actions announced under the Right of Access Initiative bring the total number of enforcement actions to twenty-seven since the Initiative began in late 2019. The total settlement or penalty amount resulting from the Initiative now exceeds $1.6 million. According to OCR, the Right of Access Initiative is meant to ensure that patients receive copies of their medical records in a timely manner, in the form and format of their choice, and for a reasonable cost.

In one of these most recent Right of Access actions, OCR announced that Jacob & Associates, a psychiatric medical services provider in California, failed to provide a patient with access to the patient’s medical record over the course of five years. In that action, OCR’s investigation determined that despite the patient having mailed a medical records request to the healthcare provider every year from 2013 – 2018, the patient never received any response from the provider. In 2018, the patient resubmitted the request via facsimile, but did not receive a copy of the requested records until May 2019. In addition, OCR found that the provider required the patient to travel to the provider’s office to complete the provider’s specific request form and charged the patient a flat fee of $25 for the records.

As part of the resolution agreement, Jacob & Associates agreed to pay $28,000 and enter into a corrective action plan with OCR. Specifically, the provider is required to develop, maintain, and revise its policies and procedures to comply with the HIPAA Privacy Rule. Those policies include, but are not limited to, Designated Record Set Policy, Right of Access to PHI Policy, and training and sanction policies. Furthermore, OCR requires the provider to correct deficiencies identified in the provider’s Notice of Privacy Practices, as well to designate a specific privacy official responsible for implementing the privacy policies and procedures. Finally, the corrective action plan requires extensive reporting to OCR over the course of two years.

Healthcare providers must be aware of their responsibilities to provide their patients with timely, accessible, and affordable access to their medical records. According to OCR, it has numerous Right of Access investigations open across the country and continues to receive complaints from patients. OCR Director Lisa Pino confirmed recently that “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil monetary penalties for violations that are not addressed.”

See also 

About the Author

David is a shareholder at Young Moore and advises clients in matters related to healthcare privacy and data security, breach notification and reporting requirements, and HIPAA compliance. He assists covered entities and business associates with HIPAA privacy and security policies and procedures, incident response and investigation, and workforce and management training. David currently serves as the Interim Associate Compliance Officer and Director of Privacy of an Academic Medical Center in North Carolina. Read more


Electronic mail or other oral or written communication to Young Moore and Henderson P.A. in connection with a matter for which we do not already represent you may not be treated as privileged or confidential. Communications are not privileged until the client and lawyer have agreed on legal representation. Please do not send confidential information to us via e-mail or in any other manner without first communicating directly with us about the attorney-client relationship. The transmission of an e-mail request for information does not create an attorney-client relationship. Your initial email should only contain a list of the parties interested in the matter so that we can make sure we have no conflicts before you convey any information about your case.

Accept Decline