Massachusetts Mental Health Clinic Pays $65,000 to Settle HIPAA Right of Access Case

Boston, MA-based Arbour Hospital, a mental health clinic, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) by paying a $65,000 penalty.

On July 5, 2019, OCR was informed regarding a potential HIPAA Right of Access violation. A patient of Arbour Hospital stated he had submitted a request for a copy of his medical records from the hospital on May 7, 2019 however had not been given those records in a period of two months.

Whenever a healthcare company receives a request from an individual who wants to exercise their HIPAA Privacy Rule right to get a copy of their healthcare records, a copy of that information should be given immediately and no later than 30 days after receiving the request. It is possible to extend the period beyond 30 days in cases where records are saved offsite or are otherwise not quickly accessible. In such instances, the patient wanting to have the records should be advised concerning the extension in writing within 30 days and be provided with why the documents are delayed.

OCR contacted Arbour Hospital and offered technical support on the HIPAA Right of Access on July 22, 2019 and closed the complaint. The patient then sent a second complaint to OCR on July 28, 2019 because he still did not receive his healthcare data. The records were eventually provided to the patient on November 1, 2019, nearly 6 months after submitting the written request and more than 3 months after the technical assistance on the HIPAA Right of Access given by OCR.

OCR confirmed that the failure to respond to a written, signed medical record request from an individual promptly violated the HIPAA Right of Access – 45 C.F.R. § 164.524(b). Besides the financial penalty, Arbour Hospital needs to undertake a corrective action plan that entails employing policies and procedures regarding patient record access and giving training to the employees. Arbour Hospital will additionally be under OCRmonitoring for 1-year compliance.

Health care providers have a responsibility to give their patients prompt access to their own health records, and OCR will hold providers responsible for this requirement so that patients can exercise their rights and get necessary health data to be active participants in their medical care, explained by Acting OCR Director Robinsue Frohboese.

The HIPAA Right of Access enforcement initiative began at the end of 2019 to make sure patients are furnished with on-time access to their medical records at a fair price. This is the sixteenth financial penalty to be paid to OCR to resolve HIPAA Right of Access violations following this enforcement initiative and the 4th HIPAA Right of Access settlement to be reported in 2021.