On November 19, 2024, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced a civil monetary action against a mental health center in California for failing to provide a patient with timely access to her medical records. As a result, the mental health center was hit with a $100,000 penalty.¹
In this case, the patient requested her medical records from a community mental health center (the Center) during her visit on March 18, 2020. However, the records were not provided until seven months later, far exceeding the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s requirement to provide a patient, or their representative, timely access to health information (within 30 days, plus the possibility of one 30-day extension).²
Initial delays in responding to the patient’s request were due to the COVID-19 pandemic’s stay-at-home order which led to the closure of county buildings, including the mental health center, and limited the number of staff members available to process the request.
In May 2020, when staff returned to the office, the patient was notified that her records were ready for pickup. On May 27, 2020, the patient arrived at the Center and waited 20 minutes, but left after receiving a notification that she would be contacted when her records were ready. However, by July 17, 2020, the patient had still not received her records. Multiple calls made to the Center that day went unanswered.³
In August 2020, the patient spoke to various staff members on several occasions, but no follow-up occurred. Frustrated with the lack of progress, the patient filed a complaint with OCR on August 21, 2020.
On October 7, 2020, OCR contacted the Center regarding the complaint. The Center then made multiple attempts to contact the patient by leaving voicemails and sending a letter of apology. The requested records were finally sent to the patient on October 20, 2020.³
During its investigation, OCR discovered the delay in providing the records stemmed from the actions of an individual staff member responsible for responding to medical record requests. Although one attempt was made to contact the patient after she left the clinic, there was no further follow-up.
On August 31, 2022, OCR notified the Center of its findings, stating that the failure to provide timely access to the medical records was a violation of the patient's rights under HIPAA.³ The Center was given the opportunity to settle the matter informally, but failed to do so.
On February 3, 2023, OCR again informed the Center of its noncompliance and provided an opportunity to submit evidence of mitigating factors. The Center alleged that initial delays were due to the stay-at-home order and failed attempts to contact the patient. However, OCR determined that these factors did not warrant a waiver of a monetary penalty.
On July 16, 2024, OCR informed the Center it was imposing a $100,000 penalty for the delay in providing records. The formula used to calculate the penalty was 156 days x $1,379/day = $215,124, capped at $100,000 (maximum penalty).³
The OCR Director emphasized the importance of timely access to medical records for patients. She stated that ensuring patients' rights to access medical information in a timely manner is a priority for OCR, and healthcare providers have a legal obligation to fulfill this right.¹ Failure to comply with these obligations can result in penalties, such as the one imposed on the Center.
This incident marks the 51st financial penalty imposed by OCR for alleged violations of the HIPAA Right of Access. It is also the 12th penalty in 2024 addressing noncompliance with HIPAA Rules. OCR is committed to taking action against healthcare providers who fail to meet their obligations under HIPAA and will use all available means, including civil monetary penalties, to ensure compliance with the law.¹
By following these steps, you can minimize the risk of fines and maintain compliance with patient medical record requests:
1. Familiarize yourself with HIPAA regulations: Understand the HIPAA regulations regarding patient privacy and the right to access medical records. This includes knowing the timelines and requirements for responding to patient requests.²
2. Establish clear policies and procedures: Develop clear policies and procedures within your practice for handling patient medical record requests. Ensure that all staff members are trained in these policies and understand their roles and responsibilities.
3. Educate patients about the process: Inform patients about their rights to access their medical records and the process they need to follow to request them. Provide clear instructions on how to make a request, including the required forms and any associated fees.
4. Streamline the request process: Implement an efficient system for managing medical record requests. This may involve using electronic health record (EHR) systems to easily retrieve and transmit records, as well as having designated staff members responsible for handling requests.
5. Maintain organized records: Keep medical records well organized and easily accessible. This will help in promptly responding to patient requests without delays or confusion.
6. Respond within the required timeframe: Be familiar with state and federal regulations. Some states impose timeframes more stringent than HIPAA’s 30-day requirement. For example, California law requires healthcare providers to respond to patient medical record requests within 15 calendar days.4,5 Aim to respond as quickly as possible to avoid potential monetary penalties.
7. Communicate effectively: Maintain open lines of communication with patients regarding their medical record requests. If there are any delays or issues, inform the patient promptly and provide an estimated timeline for completing their request.
8. Securely transmit records: When providing medical records to patients, ensure that the transmission method is secure and complies with HIPAA guidelines. This may involve using encrypted emails or secure online portals.
9. Keep documentation: Maintain documentation of all medical record requests and responses, including dates, communication records, and any challenges faced during the process. This documentation will serve as evidence of compliance, if needed.
10. Regularly review and update policies: Continuously review and update your policies and procedures to ensure compliance with any changes in state or federal regulations. Stay informed about any updates or guidance provided by relevant healthcare authorities.
Monica Ludwick, Pharm.D. is a Senior Risk Management and Patient Safety Specialist. Questions or comments related to this article should be directed to MLudwick@CAPphysicians.com.
References
¹Archive of the U.S. Department of Health and Human Services. (2024, November 19). “HHS Office for Civil Rights Imposes a $100,000 Penalty Against Mental Health Center for Failure to Provide Timely Access to Patient Records” [Press Release]. Accessed November 27, 2024. https://public3.pagefreezer.com/browse/HHS.gov/02-01-2025T05:49/https:/…
²U.S. Department of Health and Human Services. (2024, January 5)."Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524." Accessed November 27, 2024. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/ind…;
³U.S. Department of Health and Human Services. (2024, July 16). “Rio Hondo Community Mental Health Center Notice of Proposed Determination.” https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agre…
4Medical Board of California. “Patient Access to Medical Records.” Accessed 11/27/2024. https://www.mbc.ca.gov/Resources/Medical-Resources/Access-Records.aspx
5California Legislative Information. California Code. “Health and Safety Code Section 123100.” Accessed November 27, 2024. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=HSC§ionNum=123100