September 28, 2022

HIPAA Right of Access Initiative: No End in Sight

By Deborah A. Cmielewski, Esq.

Since the inception of the Health Insurance Portability and Accountability of 1996 (“HIPAA”) Right of Access Initiative (the “Initiative”) in early 2019, the Office for Civil Rights (“OCR”) of the United States Department of Health and Human Services (“HHS”) has been relentless in its enforcement activities. In just three (3) short years, the OCR has completed a total of forty-one (41) enforcement actions, with absolutely no end in sight. Nevertheless, entities subject to the HIPAA right of access rules have persisted in their failure to comply with the Federal requirements. The OCR has continued to impose civil monetary penalties and onerous Corrective Action Plans to both curb this behavior and illustrate the necessity for individuals to have appropriate access to their health information. 

Recognizing the need for a more patient-centered health care system where individuals can monitor their health conditions, correct errors in their health records, and comply with treatment plans, the OCR launched the Initiative in early 2019. The goal of the Initiative was to advance the fundamental rights of patients to receive copies of their medical records in a prompt manner at a reasonable cost. Subject to limited exceptions, the HIPAA rules require healthcare providers and health plans to respond to a record request within thirty (30) days. An entity receiving a request may obtain a thirty (30) day extension to respond, but it must furnish a written explanation for the delay and set a date that it expects to provide a response.

In September of 2019, the OCR announced its first settlement under the Initiative, requiring Bayfront Health St. Petersburg (“Bayfront”) to pay $85,000 for failure to promptly respond to a mother’s request for records concerning her unborn child. The associated Corrective Action Plan included the requirement for Bayfront to develop, maintain and revise its policies and procedures; furnish them to HHS for review, comment and approval; distribute the policies and procedures to its workforce; develop and administer a training program; identify and train business associates involved in fulfilling access requests; and provide ongoing reports to HHS, all within strict time frames. 

In the forty (40) enforcement actions that followed the Bayfront Resolution, the OCR has imposed similar terms and conditions. Most recently, on September 20, 2022, the OCR announced three (3) more settlements, all arising from complaints filed against dental practices in 2020. OCR investigated the complaints and determined that the providers had potentially violated the HIPAA right of access provision. In each of the settlements, the providers agreed to enter into a Corrective Action Plan and pay a civil monetary penalty as follows:


Entity                                                                         Civil Monetary Penalty

Family Dental Care, P.C.                                            $30,000

Great Expressions Dental Center of Georgia, P.C.     80,000

B. Steven L. Hardy, D.D.S., LTD                               25,000

Entities subject to the HIPAA right of access rules must be prepared to respond to requests for information immediately. It is crucial to maintain updated policies and procedures and to regularly train the workforce, so that they ready at all times. Failure to heed the OCR’s warning could result in dire consequences that includes a relationship with HHS for a long time to come.


For more information, contact Deborah A. Cmielewski at or at (973) 540-7327.