Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. Five enforcement actions signal continuing OCR focus on HIPAA right of access

      Articles

    Article

    Five enforcement actions signal continuing OCR focus on HIPAA right of access

    Dec 30, 2021

    LinkedInX (Twitter)EmailCopy URL

    By Valerie Montague

    Healthcare providers should ensure that they are responding properly to patient records requests, and charging compliant copy fees.

    On November 30, 2021, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services released five more enforcement actions under its HIPAA Right of Access Initiative (the Initiative). The Initiative is intended to ensure that individuals receive timely access to their health information at a reasonable cost. Since the Initiative was announced in 2019, these settlements — which involve healthcare providers of all types and sizes — bring the total number of Initiative enforcement actions to 25. 

    Subject to limited exceptions, the HIPAA Privacy Rule requires that a covered entity afford a patient, or the patient’s personal representative, access to inspect and obtain a copy of the patient’s protected health information (PHI). The covered entity must act on a request for access no later than 30 days after its receipt of the request, with the ability to extend its response time for up to 30 days with notification to the individual. The covered entity is limited to charging only a reasonable, cost-based fee for the copy of the PHI, and any fee also must comply with applicable state law requirements.

    The recent enforcement efforts include two of the higher financial penalties of the Initiative’s enforcement actions: a financial settlement of $160,000 with Rainrock Treatment Center, LLC (d/b/a Monte Nido Rainrock) and a civil money penalty of $100,000 with Dr. Robert Glaser. Three of the enforcement actions require the covered entities to adhere to two-year corrective action plans (CAPs) and one requires a one-year CAP.

    These enforcement actions also continue trends seen in the Initiative’s prior enforcement. For example:

    • Organizations of all types and all sizes are struggling with the right of access requirement. The enforcement actions under the Initiative highlight that challenges complying with the right of access requirement are not unique to small providers or certain types of clinical entities. The recent five enforcement actions involve both a solo practitioner and larger clinical practices, including a multi-site provider.
    • Entities being investigated by OCR should cooperate with such investigations. A major theme in the Initiative enforcement actions is that OCR often reached out to the entity and provided technical assistance, but several entities did not, or did not fully, implement the guidance from OCR. This is seen acutely in the enforcement action against Dr. Glaser, because OCR advised his practice in 2017 to evaluate a patient’s request for access and to provide access if the patient’s requests complied with the HIPAA access requirements. After OCR received a second complaint from the same patient in 2018, OCR opened an investigation and requested information from the practice. After repeated outreach, OCR issued a civil money penalty for violating the right to access requirement when the practice failed to provide the requested information. Covered entities should take advantage of any technical assistance offered by OCR to ensure that they are providing appropriate medical record access to individuals; doing so may prevent an enforcement action or lessen a financial settlement or the length or terms of a CAP.
    • Covered entities should ensure that they have enacted compliant policies and procedures addressing the HIPAA right of access requirements. In the recent enforcement action against the Denver Retina Center, an ophthalmological services provider, OCR determined that the practice not only did not provide a patient with access to their records, but also did not have compliant policies and procedures for the HIPAA right of access, leading to a financial settlement of $30,000 and a two-year CAP. In its investigation of a right of access complaint against the Wake Health Medical Center, a primary care medical group, OCR discovered that the practice charged a flat fee for medical record copies, regardless of the size of the records. The two-year CAP requires Wake Health to revises its policies and procedures to identify methods for calculating a reasonable, cost-based fee for medical record copies.

    These recent enforcement actions emphasize not only that covered entities should have a process in place to respond to access requests in a compliant manner, but it is also important to ensure that their workforces are trained to understand patients’ access rights and the covered entity’s obligations for the same.

    These latest five enforcement actions under the Initiative also emphasize that healthcare providers must continue to take their obligations to provide patients with timely access to PHI and limit costs for such access as required by HIPAA and state law.

    Practices

    Cybersecurity & PrivacyHealthcare

    Insights And Happenings

    • Article

      OCR issues reminder of security incident obligations

      Oct 28, 2022
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved