$85,000 Settlement in OCR’s First HIPAA Right to Access Case

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

HIPAA Enforcement is Happening
Enforcement is in action. That’s what Bayfront Health-St. Petersburg recently learned when they agreed to pay $85,000 in penalties to the Department of Health & Human Services (HHS) Office of Civil Rights for a potential violation of the HIPAA right to access provision.

This is the first enforcement by the OCR since the announcement of their initiative earlier this year. Officials vowed that the right of the patients to receive access to their records was going to be strictly enforced and that this had to be achieved in a timely fashion without being overcharged.

MedRxiv announced earlier this year (in August) that more than 50% of providers failed to comply with this provision of HIPAA based on a study that they had conducted.

The penalty against Bayfront was a result of a complaint filed by a patient when she had to wait 9 months to receive fetal heart monitor records for her unborn child. The request had been filed in October of 2017.

The Rules
So, what are the HIPAA guidelines for this? A patient must be given the requested records within 30 days and only charged a reasonable fee if necessary. The regulations are also applicable when parents are requesting on behalf of their minor children.

Since Bayfront did not comply with this request in a timely fashion, they are now paying for it with a monetary fine, as well as with other expenses to the business, like damage to their reputation. A corrective action plan must be created, which includes development, maintenance, and revision of policies and procedures to comply with the HIPAA rule, and they will need to assign (and possibly hire) one or more individuals who will oversee this. Employees need to be trained and then acknowledge their compliance. These policies must also be updated annually.

And all of this needs to happen within 60 days to HHS, with subsequent distribution to their workforce and business associates within 30 days of approval by HHS.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! suite of subscriptions offers an extensive list of tools to provide ongoing training, assessment, moderation activities and more to support an organization’s privacy and security efforts. Subscriptions also support the process of conducting an annual Security Risk Assessment to meet MIPS and Promoting Interoperability requirements.

The subscriptions work for organizations of all sizes, both Covered Entities and Business Associates. All are priced at a flat annual fee, based on number of employees, for a full 12 months. All include a discount if purchased through us.


If your organization has more than 50 employees, or if you’d like to schedule a demo or you just want to get a couple questions answered, take a few seconds to complete this form and we will get back to you.