Healthcare Provider Pays $160,000 Penalty Over HIPAA Right of Access Violation

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued the 12th HIPAA penalty for this year 2020. With respect to the HIPAA Right of Access enforcement initiative, this penalty is the 8th to be issued since 2019. This penalty is the largest HIPAA penalty ever as $160,000 was paid to settle a case of failure to provide timely access to requested medical records.

On January 24, 2018, the mommy of a patient submitted a request to Dignity Health, also called St. Joseph’s Hospital and Medical Center (SJHMC) for a copy of the medical records of her son. The mother serves as the son’s personal representative in making the request. On April 25, 2018, OCR received a complaint from the mother because until then she did not receive all the requested medical records.

The complaint prompted OCR to investigate the matter and learned that the mother had already filed with SJHMC four separate requests for her son’s medical records. The dates of submitting the requests were January 24, March 22, April 3, and May 2, 2018.

SJHMC actually responded to the mother’s requests but failed to give all the requested documents. The mother made several follow-ups on SJHMC to get the deficient records. These were on May 2, May 10, and May 15, 2018. However, on all occasions, SJHMC replied with incomplete records and did not include the specifically requested records. On December 19, 2019, SJHMC finally provided all the requested records. Sadly, it was given 22 months after the first request date.

SJHMC had to pay $160,000 of financial penalty to OCR to resolve the case though without liability admission. SJHMC also needs to carry out a corrective action plan to fix all noncompliance issues with the supervision of OCR for two years.

According to OCR Director Roger Severino, covered entities should not wait until they are subjected to a federal investigation to give patients their requested medical records. Many cases have shown that healthcare providers do not take their HIPAA obligations seriously until investigated. Currently, OCR has plenty of open right of access cases all over the country and it won’t cease to help patients get what they deserve by enforcing this right of access initiative.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at