top of page

Compliance Update: HIPAA Right of Access Initiative Investigation Settlements

On September 9, 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) began its first enforcement action and settlement in its Right of Access Initiative after a large Florida hospital failed to provide a new mother timely access to records about her unborn child.

Over the course of 10+ more investigations, the OCR has highlighted organizations that are undergoing settlements pertaining to the Right of Access Initiative in an effort to “send a message about the Importance of Access to Health Records.”

OCR announced this initiative promising to "vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.” The OCR's enforcement actions are designed to send a message to the healthcare industry about the importance and necessity of compliance with the HIPAA Rules.

OCR considers a variety of factors in determining the amount of the settlement including, the nature and extent of the potential HIPAA violation; the nature and extent of the harm resulting from the potential HIPAA violation; the entity's history with respect to compliance with the HIPAA Rules but, the monetary settlements are hefty.

For example, in the twelfth settlement of an enforcement action in its HIPAA Right of Access Initiative, The University of Cincinnati Medical Center, LLC (UCMC), which is an academic medical center, has agreed to pay $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard after UCMC failed to respond to a patient’s February 22, 2019, records access request.

In addition to the monetary settlements, these organizations are also responsible to take corrective actions to resolve the HIPAA violations. These typically include two years of monitoring to ensure the organization is implementing appropriate HIPAA Compliance requirements!

“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director.

What can I do to ensure this doesn’t happen to me or my organization?

At Live Compliance, we make checking off your compliance requirements extremely simple.

  • Reliable and Effective Compliance

  • Completely online, our role-based courses make training easy for remote or in-office employees.

  • Contact-free, accurate Security Risk Assessments are conducted remotely. All devices are thoroughly analyzed regardless of location.

  • Policies and Procedures curated to fit your organization ensuring employees are updated on all Workstation Use and Security Safeguards in the office, or out. Update in real time.

  • Electronic, prepared document sending and signing to employees and business associates.

Don’t risk your company’s future, especially when we are offering a free Organization Assessment to help determine your company’s status. Call us at (980) 999-1585, or email me, Jim Johnson at or visit

bottom of page