OCR Resolves HIPAA Right of Access Case With Pennsylvania Therapist

May 08, 2023 - The HHS Office for Civil Rights (OCR) settled a potential HIPAA right of access violation with Pittsburgh, Pennsylvania-based licensed counselor David Mente, MA, LPC. The psychotherapy provider must pay OCR $15,000 and enter into a corrective action plan.

The settlement marks the 44th case to be resolved under OCR’s HIPAA Right of Access Initiative, which exists to ensure that patients have access to their health records in a timely and cost-effective manner.

The case stemmed from a December 2017 complaint to OCR, filed by a father who alleged that Mente would not provide him with a copy of his three minor children’s medical records. At the time, OCR provided technical assistance to Mente to help him understand right of access requirements under HIPAA and subsequently closed the complaint.

In April 2018, the father requested the records again and Mente still failed to respond, OCR stated. OCR launched an investigation and determined that Mente’s failure to provide these records constituted a potential HIPAA violation.

OCR ordered Mente to respond to the request without delay and implement a variety of corrective actions, including updating the practice’s policies and procedures related to accessing protected health information (PHI).

“Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer.

“It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records. HIPAA regulated entities should be proactive and work to ensure patients and their representatives can access records.”

Mente will be required to provide training materials to HHS for approval within 30 days and must make a good faith effort to provide the complainant with his requested records. Additionally, the practice must submit a report to HHS regarding its compliance with the corrective action plan one year after the effective date.

“With the increasing use of and continued advances in health information technology, individuals have ever expanding and innovative opportunities to access their health information electronically, more quickly and easily, in real time and on demand,” HHS guidance states.

“Putting individuals ‘in the driver’s seat’ with respect to their health also is a key component of health reform and the movement to a more patient-centered health care system.”

The HIPAA Privacy Rule requires covered entities to provide patients with access to their PHI “in one or more ‘designated record sets’ maintained by or for the covered entity,” upon request.

“This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice,” the guidance continues.

Regardless of when the information was created, or whether it is maintained on paper or electronically, patients always have the right to access their PHI, so long as it is held by a covered entity or business associate.