Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

HHS.gov
  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations

Breadcrumb

  1. Home
  2. About
  3. News
  4. Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA
  • News
  • Blog
  • HHS Live
  • Podcasts
  • Media Guidelines for HHS Employees
FOR IMMEDIATE RELEASE
July 15, 2022
Contact: HHS Press Office
202-690-6343
media@hhs.gov

Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA

Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to thirty-eight since the initiative began.  OCR created this initiative to support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

HIPAA gives people the right to see and get copies of their health information from their healthcare providers and health plans.  After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner.

“It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino.  “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”

OCR has taken the following enforcement actions and ensured that complainants received copies of their records:

  • ACPM Podiatry, with offices in Peoria and Canton, Illinois, failed to provide a former patient with his requested medical records.  In response to an initial complaint, OCR provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard and closed the matter. OCR received a second complaint from the same individual, alleging that ACPM still had not provided the medical records, after numerous requests. ACPM did not respond to multiple data requests from OCR, nor to OCR’s Letter of Opportunity and Notice of Proposed Determination.  OCR issued a Notice of Final Determination and imposed a civil money penalty of $100,000.
  • Associated Retina Specialists, of New York, failed to provide a patient with a copy of her medical records until three days after OCR initiated its investigation, and nearly five months after the complainant’s first written request. Associated Retina has agreed to take corrective actions and paid $22,500 to settle a potential violation of the HIPAA Privacy Rule right of access standard.
  • Lawrence Bell, Jr., D.D.S., a dental practice located in Baltimore, MD, failed to provide timely access to a patient’s medical record.  The dental practice has agreed to take corrective actions and has paid $5,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard.
  • Coastal Ear, Nose, and Throat (ENT), located in Ormond Beach, Florida, failed to provide timely access to medical records after multiple requests for such records from a patient. Coastal ENT has agreed to take corrective actions and has paid $20,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard
  • Danbury Psychiatric Consultants (DPC), located in Massachusetts, failed to respond timely to a complainant’s access request.  DPC also withheld the complainant’s access on the basis that the complainant had an outstanding balance and required a signed request or authorization request. DPC has agreed to take corrective actions and has paid $3500 to settle a potential violation of the HIPAA Privacy Rule's right of access standard.
  • Erie County Medical Center Corporation, a public benefit corporation that operates a hospital, Erie County Medical Center (ECMC), located in Buffalo, New York, failed to timely provide an individual with a complete copy of his medical records. ECMC has agreed to take corrective actions and has paid $50,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • Fallbrook Family Health Center, located in Nebraska, failed to provide timely access to medical records.  Fallbrook Family Health Center has agreed to take corrective actions and has paid $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • Hillcrest Nursing and Rehabilitation, located in Massachusetts, failed to provide an individual’s personal representative with timely access to her son’s medical records. Hillcrest has agreed to take corrective actions and has paid $55,000 to settle a violation of the HIPAA Privacy Rule’s right of access standard.
  • MelroseWakefield Healthcare (MWH), a provider in Massachusetts, did not provide a personal representative with timely access to medical records on the mistaken basis that the durable power of attorney in this instance did not allow for the provision of such medical records.  MWH has agreed to take corrective actions and has paid $55,000 to settle a violation of the HIPAA Privacy Rule’s right of access standard.
  • Memorial Hermann Health System, a not-for-profit health system in Southeast Texas, consisting of 17 hospitals, including Memorial Hermann Katy Hospital, failed to respond timely to a complainant’s access request.  Memorial Hermann has agreed to corrective actions and has paid $240,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard.
  • Southwest Surgical Associates (SWSA) is a group practice with nine locations in the Greater Houston, TX area, failed to provide an individual timely access to their health information.  SWSA has agreed to corrective actions and has paid $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
###
Note: All HHS press releases, fact sheets and other news materials are available at https://www.hhs.gov/news.
Like HHS on Facebook, follow HHS on Twitter @HHSgov, and sign up for HHS Email Updates.
Last revised: July 15, 2022

Sign Up for Email Updates

Receive the latest updates from the Secretary, Blogs, and News Releases

Sign Up

Subscribe to RSS

Receive latest updates

Subscribe to our RSS

Related News Releases

  • HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations

  • HHS Issues New Proposed Rule to Strengthen Prohibitions Against Discrimination on the Basis of a Disability in Health Care and Human Services Programs

  • HHS and the U.S. Attorney’s Office Secures Agreement Resolving HIV Discrimination Complaint Involving a New Jersey Home Healthcare Provider

Related Blog Posts

  • HHS Blog thumbnail

    Improving the Cybersecurity Posture of Healthcare in 2022

Media Inquiries

For general media inquiries, please contact media@hhs.gov.

Content created by Office for Civil Rights (OCR)
Content last reviewed July 15, 2022
Back to top
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • HHS Archive
  • Accessibility
  • Privacy Policy
  • Viewers & Players
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy

Sign Up for Email Updates

Receive the latest updates from the Secretary, Blogs, and News Releases.

Sign Up
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​