In 2020, the Department of Health and Human Services’ Office for Civil Rights (OCR) resolved 19 HIPAA violation cases. There were more financial penalties issued in 2020 compared to previous years. The OCR received $13,554,900 as payment to resolve HIPAA violation cases. In 2021, OCR announced 14 enforcement actions, which shows a small decrease in the number of HIPAA violation settlements and penalties. In spite of this, the number of HIPAA fines in 2021 is the second-highest of any year ever since OCR began enforcing HIPAA Rules compliance.
Although the number of penalties remains high in 2021, there was a big decrease in fine amounts which was $5,982,150. $5,100,000 of that amount was from only one enforcement action. The majority of the penalties involved HIPAA Right of Access violations, which were investigated due to complaints submitted by patients who did not receive prompt access to their health care records. They were not penalties for multiple HIPAA Rules violations that affected big numbers of people. The $5,100,000 penalty paid by Excellus Health Plan was very big because there were several HIPAA Rules violations, covering several years, that resulted in a breach affecting the ePHI of 9,358,891 people.
Fines for HIPAA Right of Access Noncompliance
At the end of 2019, OCR introduced a new HIPAA enforcement initiative for non-compliance with the Right of Access standard of the HIPAA Privacy Rule. From then on, OCR has been strongly enforcing HIPAA Right of Access compliance. Since December 2021, OCR has issued 25 penalties for violations of the HIPAA Right of Access amounting to $1,564,650. The penalties vary from $3,500 to $200,000. 24 settlements and one civil monetary penalty, with a lot of the penalties issued on small healthcare companies.
The HIPAA Right of Access standard (45 C.F.R. § 164.524(a)) offers patients the right to access, check, and get a copy of their own protected health information (PHI) in a specified file set. Upon receipt of a request from a person or their own representative, the documents should be given in 30 days. A fair, cost-based price can be billed for giving a copy of the requested documents. A person’s request for access to his/her health records could be refused, however just in very few cases.
OCR checks complaints from people who assert they were refused access to their medical records, did not get records in 30 days or were billed high amounts for copies of their documents. The financial penalties enforced by OCR in 2020 for violations of the HIPAA Right of Access varied from $15,000 to $160,000 and were a result of refusals to give copies of documents or long delays. In numerous instances, records were just presented after OCR’s intervention.
2021 HIPAA Right of Access Enforcement Actions
1. Banner Health paid $200,000 as settlement
2. Rainrock Treatment Center LLC (dba monte Nido Rainrock) paid $160,000 as settlement
3. Dr. Robert Glaser paid $100,000 as Civil Monetary Penalty
4. Children’s Hospital & Medical Center paid $80,000 as settlement
5. Renown Health paid $75,000 as settlement
6. Sharpe Healthcare paid $70,000 as settlement
7. Arbour Hospital paid $65,000 as settlement
8. Advanced Spine & Pain Management paid $32,150 as settlement
9. Denver Retina Center paid $30,000 as settlement
10. Village Plastic Surgery paid $30,000 as settlement
11. Wake Health Medical Group paid $10,000 as settlement
Other HIPAA Violation Penalties in 2021
Only two HIPAA enforcement actions in 2021 were not caused by HIPAA Right of Acess violations.
1. Excellus Health Plan paid $5,100,000 as settlement
2. AEON Clinical Laboratories (Peachstate) paid $25,000 as settlement