Privacy, Compliance Management

HIPAA gives patients right to access records, settlements with HHS warn

OCR announced three resolutions with separate dental providers to resolve allegations of the HIPAA Privacy Rule’s right of access standard. (Photo credit: “U.S. Department of Health and Human Services” by WEBN-TV is licensed under CC BY-ND 2.0.)
OCR announced three resolutions with separate dental providers to resolve allegations of the HIPAA Privacy Rule's right of access standard. (Photo credit: ""U.S. Department of Health and Human Services" by WEBN-TV is licensed under CC BY-ND 2.0.)

The Department of Health and Human Services Office for Civil Rights has reached resolutions of investigation into three separate dental practices over possible violations of the Health Insurance Portability and Accountability Act Privacy Rules patient right of access standards.

These regulatory actions “send an important message to dental practices of all sizes covered by the HIPAA Rules to ensure they are following the law,” OCR Director Melanie Fontes Rainer said in a statement.

“Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days,” she added. The hope is that the resolutions “send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”

Under HIPAA, covered entities and relevant business associates are required to respond to patient access requests in a timely fashion and with the requested format. Ciitizen data has shown this is a huge compliance issue for many providers, though education and awareness has helped to improve the current state. 

OCR has made patient right of access rules an enforcement priority for the last four years and have settled more than two dozen potential violations.

Great Expressions Dental Center of Georgia (GEDC-GA) agreed to pay a civil monetary penalty of $80,000; Chicago-based Family Dental Care will pay $30,000; and B. Steven L. Hardy, DDS will pay $25,000. All three have also agreed to implement a corrective action plan.

For GEDC-GA, the settlement stems from a November 2020 patient complaint made to OCR that alleged the dental office failed to provide her with access to her medical records filed nearly a year earlier in November 2019. GEDC-GA also requested the patient pay $170 as a “copying fee” before the provider would give the patient her requested records.

The patient was not contacted by GEDC-GA to send the records until Feb. 2, 2021, a year and a half after the initial request.

OCR launched an investigation that found GEDC-GA didn’t provide the patient with timely access to the requested health information in a designated record set. And the “copying fee” was found to be “not reasonable and cost based, as required by HIPAA.”

The Family Dental Center settlement was brought on by an OCR investigation into an Aug. 8, 2020, complaint that alleged the dental provider failed to provide a former patient with timely access to her complete designated record set as she requested on May 8, 2020

The records were not given to the patient until six months later on Oct. 12, 2020. OCR found Family Dental Center indeed failed to provide timely access as required by HIPAA.

Lastly, the Hardy settlement stems from a patient complaint filed with OCR in April 11, 2020, alleging the practice failed to provide a mother with timely access to both her and her minor child’s protected health information.

The HHS investigation revealed that three days after the emailed request to the provider for access, the patient was sent an email reply that said “the office was closed and offered to email the requested PHI to her if she confirmed the email address to which it should send the PHI.” 

The patient did so a few weeks later, but after several subsequent requests, the provider then stated the patient was required to send a written request with her handwritten signature before they would supply the requested records. The patient did so on Dec. 4, 2020, and access was provided by Dec. 31 of that same year. 

OCR found Hardy’s practice failed to provide timely access.

The settlements are not an admission or liability of guilt. But each provider will enter into corrective action plans with similar requirements. Family Dental Center’s agreement will last for one year, and Hardy and GEDC-GA will have two-year action plans. All of the CAPs center around the required development of effective policies and procedures for ensuring timely access to patient records.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.