By: Christopher A. Parrella, Esq., CPC, CHC, CPCO Parrella Health Law, Boston, Ma. A Health Care Provider Defense and Compliance Firm
In November 2024, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $100,000 fine against the Rio Hondo Community Mental Health Center, operated by the Los Angeles County Department of Mental Health. The penalty arose from the clinic’s failure to provide a patient with timely access to her requested medical records—a clear violation of HIPAA’s right-of-access rule.
This case is a stark reminder of the regulatory weight placed on patient access to medical records, a priority for OCR since its 2019 HIPAA Right-of-Access Initiative. For providers, this enforcement action sends a strong message: compliance is not optional, even during extraordinary circumstances like the COVID-19 pandemic.
The Case: Delayed Access During a Pandemic
The patient first requested her records in March 2020, just as California entered a statewide lockdown. Despite repeated written and in-person follow-ups, the clinic delayed fulfilling the request for over seven months. Only after OCR launched an investigation was the patient’s request finally honored in October 2020.
OCR determined that the clinic’s delays were unjustified. Even during the pandemic, healthcare providers were expected to uphold their HIPAA obligations. As OCR Director Melanie Fontes Rainer stated, “Patients should never be in the position of needing to request their own medical records over and over again before getting access to them.”
Lessons for Healthcare Providers
This enforcement action serves as a critical lesson for providers:
- imeliness is Non-Negotiable: HIPAA requires that patient requests for medical records be fulfilled within 30 days, with a possible 30-day extension for valid reasons. Delays, even during emergencies, are not tolerated without clear justification
- Proactive Risk Management: Integrating HIPAA right-of-access compliance into your annual risk assessments is essential. Identifying and addressing potential delays or barriers in fulfilling patient requests can prevent regulatory action.
- Training and Oversight: Training staff and implementing a robust process for managing medical records requests can help ensure compliance. Regular audits and status meetings, as adopted by the Los Angeles County Department of Mental Health, can further strengthen compliance efforts.
- Business Associate Agreements: Providers must ensure that business associates involved in medical record management are equally committed to compliance.
Avoiding the Cost of Non-Compliance
OCR has made it clear that it will not hesitate to enforce HIPAA violations, even imposing civil monetary penalties when necessary. Providers who fail to prioritize compliance risk steep fines, reputational damage, and potential operational disruptions.
If your organization is unsure about its HIPAA compliance or needs help implementing effective risk management strategies, Parrella Health Law can help. With decades of experience in healthcare compliance and enforcement matters, we offer tailored guidance to help providers navigate complex regulations and minimize risk.
For questions or assistance, please contact Parrella Health Law at 857-328-0382 or email Chris directly at cparrella@parrellahealthlaw.com. Don’t wait until OCR comes knocking—ensure your compliance today.
Christopher A. Parrella, Esq., CPC, CHC, CPCO, is a leading healthcare defense and compliance attorney at Parrella Health Law in Boston. With extensive experience in healthcare law, he provides robust legal support in areas including regulatory compliance, audits, healthcare fraud defense, and reimbursement disputes. Christopher emphasizes client-centered advocacy, offering one-on-one consultations for personalized guidance. His proactive approach helps clients navigate complex healthcare regulations, ensuring compliant operations and defending against government investigations, audits, and overpayment demands.
Leave a Reply