February 19, 2021

OCR’s Sixteenth HIPAA Right of Access Settlement

On February 12, OCR settled its sixteenth enforcement action related to the HIPAA Right of Access. As part of this settlement, Sharp Healthcare agreed to pay $70,000 for, among other things, allegedly failing to direct an electronic copy of PHI in an electronic health record to a third party at the patient’s request. Under HIPAA, covered entities must respond to access requests no later than 30 days after receipt by providing access, denying the request, or asking for an extension. OCR has issued guidance on this topic noting that covered entities could provide almost instantaneous or very prompt electronic access to PHI when using health information technology. OCR has further included FAQs on HIPAA’s Access Right and a new clarification on the Flat Rate Option for Copies of PHI as part of this guidance.