Skip to content

Failure to Provide Access to PHI Leads to $85,000 HIPAA Settlement



HHS Resolution Agreement: Bayfront HMA Med. Ctr., LLC (Sept. 6, 2019); HHS News Release (Sept. 9, 2019)

Available at

HHS’s Office for Civil Rights (OCR) has announced an $85,000 settlement with a hospital that allegedly failed to timely provide protected health information (PHI) in response to an individual’s request. According to OCR’s news release, HIPAA generally requires covered entities to provide medical records within 30 days of a request, but the hospital in this case did not provide the records for more than nine months. OCR noted that the request was made by a mother, who sought fetal heartbeat records for her unborn child. OCR’s news release indicates that a patient’s right to access medical records extends to parents who seek medical information about their minor children.

In addition to the settlement payment, the hospital agreed to a corrective action plan (CAP) under which it must develop, maintain, and revise its policies and procedures to comply with the access provisions of the HIPAA privacy rule. The revised policies and procedures must address the hospital’s designated record set policy; training protocols; sanctions against workforce members who fail to comply with the policies and procedures; a process to review business associate performance regarding access requests and consequences for noncompliance; and designation of an individual responsible for ensuring that business associate contracts are properly executed. Following HHS’s review and approval, the revised policies and procedures must be distributed to workforce members, who must certify that they have read, understand, and will abide by them. The hospital’s training materials are subject to similar review and approval by HHS, and workforce members must receive training by specified deadlines.

EBIA Comment: OCR has been focused on access to PHI for several years and has released extensive guidance on individuals’ access rights (see our Checkpoint article). Therefore, it’s no surprise to see enforcement activity in this area, and covered entities (including health plans) and their business associates should take this cue to review the guidance again. Although the dollar amount of the settlement may be considered modest, keep in mind that only one individual was affected by this violation, and the CAP will require the hospital to expend significant sums for compliance. We would also caution that the news release’s assertion that a parent can always access a minor child’s medical records is incomplete because it fails to mention the significance of the parent’s status as the child’s personal representative. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXVI.G (“Personal Representatives, Minors, and Spouses”), and XXVII.B (“Right to Access PHI in Designated Record Set”). You may also be interested in our webinar “Nuts and Bolts of HIPAA Uses and Disclosures(recorded on 7/25/19).


Contributing Editors: EBIA Staff.

More answers