HHS takes first-ever enforcement action under HIPAA’s right of access to health records

The Office of Civil Rights in the US Department of Health and Human Services has taken its first enforcement action under the HIPAA right of patient access to health records. HHS announced that it fined a health care provider $85,000 for failing to provide health care records to a patient upon written request, stating in its published Resolution Agreement that the HHS investigation indicated that a hospital had “failed to provide access to protected health information about the individual in a designated record set.” HHS said that this is the first case it has brought based on the rights afforded to patients under HIPAA to see and/or copy their health records under 45 C.F.R. § 164.524. 

Delays or denials in receiving patient records are particularly common among victims of medical identity theft. This first case did not address victims of medical identity theft and their problems with getting their health records, but it is a hopeful sign that the Office for Civil Rights is taking the issue of access to records more seriously. 

Under HIPAA, patients have a right to inspect and copy their records. Patients can also choose the format they want to receive the records in, including electronic formats. Health care providers may only charge a reasonable, cost-based free for providing a copy of a patent’s health records. After a patient has made a request for their protected health information, the health care provider has 30 days to provide the information, with the possibility of an additional 30 day extension on top of that if they provide the patient with a written explanation of the delay. 

WPF has published extensive information about HIPAA and how patients can use HIPAA to protect their health privacy. Our Patient’s Guide to HIPAA is available online and in eBook format. See Part B of the Guide for practical answers to questions about how patients can access their health records. WPF has updated the Guide for 2019.