Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and specifically the Privacy Rule under HIPAA’s implementing regulations, patients have a right to access their health information held by health care providers. In 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance stressing the importance of this right. The OCR also implemented a HIPAA Right of Access Initiative as an enforcement priority in 2019, and the OCR has since actively pursued violations under the right of access standard.

Earlier this month, OCR announced the first right of access settlement of 2021—its fourteenth since announcing its Initiative in 2019—resolving alleged failures by Banner Health affiliated covered entities (Banner). Banner, based in Phoenix, Arizona, is one of the largest healthcare systems in the United States with more than 30 hospitals and a range of other facilities. Banner agreed to pay $200,000 as part of the settlement, the largest penalty levied against a covered entity for right of access violations, and will also be subject to a corrective action plan that involves two years of monitoring by OCR. The corrective action plan can be very instructive for other provider to understand what measures they may take to ensure they comply with HIPAA’s right of access and do not run afoul of the OCR’s Initiative.  For example, the corrective action plan requires Banner to review and revise its policies and procedures governing access to health records, distribute such policies to all workforce members (including to all new workforce members on an ongoing basis), and provide training on such policies and procedures.

According to OCR Director Roger Severino, this settlement “signals that [OCR’s] Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records.” OCR’s investigation stemmed from two separate alleged right of access failures. The first complaint alleged that a patient who requested their medical records in December 2017 did not receive those records until May of the following year. The second alleged a similar delay, where a patient who requested access to their records in September 2019 did not receive them until February 2020. OCR ultimately concluded that these failures to provide timely access constituted potential violations of the right of access standard, sending a clear message to providers that requested records should be provided promptly in response to patient requests.

The resolution agreement and corrective action plan may be found here. For assistance with implementing or reviewing a HIPAA program to minimize risks to health information privacy and ensure compliance with the requirements of the right of access standard, please contact one of the authors.