Enforcement Action Under HIPAA Right Of Access Initiative
Data Access Rights | HIPAA | Personal Health Information

Written by: Michelle Johnston, CIPM, CIPP/US and Susie Kenerson, CIPP/US Compliance Privacy Officer at CSR Privacy Solutions, Inc.

The U.S. Department of Human Health and Services, Office for Civil Rights (“HHS”) enforces federal standards governing personal health information (“PHI”) or personally identifiable information under the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule, Security Rule and the Breach Notification Rule.  HHS also has authority to conduct compliance reviews and investigations of complaints of violations of the HIPAA rules by covered entities and business associates.

In early 2019, HHS created an initiative to improve its enforcement of violations of patients’ access rights under HIPAA’s Privacy Rule. On September 6, 2019, HHS settled its first enforcement action against covered entity, Bayfront Health St. Petersburg (“Bayfront”) for a potential violation of a patient’s right of access.  HHS settled with Bayfront for a monetary fee of $85,000 and entered into a corrective action plan (“CAP”) which specifies Bayfront’s obligations, including one (1) year of monitoring by the HHS and compliance documentation retention for six (6) years.

Under the CAP, Bayfront must:

A. Develop and maintain policies and procedures relating to data access rights (“access policies and procedures”), with the oversight of HHS, including:

  1. Updating current access policies and procedures ensuring they address comprehensive responses to PHI access requests.
  2. Distribute policies and procedures to its employees and relevant business associates.
  3. Implement training protocols for its employees and relevant business associates.
  4. Inform HHS of sanctions against employees and business associates who fail to comply with the access policies and procedures.
  5. Conduct assessments of business associates’ compliance with and/or failures regarding responses to access requests.
  6. Designate person(s) responsible for oversight of the business associates and their adherence to the business associate agreements.
  7. Review and assess policies and procedures annually or as needed and provide any revised policies and procedures to HHS for review and approval.

B. Maintain and provide documentation to HHS, including:

  1. A list of all business associates involved with fulfilling PHI access requests and copies of the relevant business associate agreements.
  2. All training material relevant to access requests for employees and business associates for HHS’s review and approval.
  3. Reporting of any events in which an employee or a business associate has failed to comply with the access policies and procedures.
  4. Implementation Report confirming all access policies and procedures have been distributed to all appropriate employees and business associates, obtained compliance certifications, details on training materials and an executive level attestation of the Implementation Report’s accuracy and truthfulness.
  5. A final, accurate and truthful Annual Report with attestations of compliance.
  6. Adhere to the CAP’s required six (6) years compliance document retention.

Lessons Learned

Risk awareness through assessment of:

  1. Internal data systems including PHI storage locations
  2. Data sharing outputs
  3. Training

The settlement terms and requirements established between HHS and Bayfront highlight the importance of covered entities having policies and procedures in place as well as strict protocols for training and oversight of their employees and business associates to ensure they are following the established procedures.

Regular internal assessments of policies and procedures will identify any gaps in an organization’s compliance program and will ensure up to date processes are followed throughout an organization and by its business associates.

Risk evaluation through assessments and audits of internal processes and due diligence of business associates.

When responding to a data access request, it is imperative that the processes put in place by an organization are strictly followed, including getting any necessary information from relevant business associates contracted with the organization.  Under HIPAA’s Privacy Rule, health organizations must respond to a patient’s access request as soon as possible, but no later than 30 calendar days from receiving the request.

Risk avoidance through use of tools to:

  1. Identify gaps or lack of the organization’s compliance program
  2. Monitoring and documentation of business associates’ compliance processes

What will be the outcome and effects on the business should it fail to properly respond to a data access request?  Violations of the requirements for a consumer’s access to their data can bring about steep monetary fines, but may also cause a business to have to implement policies and procedures under pressure if they are not already in place.  This can be avoided and fine-tuned with planned preparation.

CSR Privacy Solutions, Inc. can ease the tension small to medium size businesses (SMB) may feel with implementing and keeping up to date with necessary policies and procedures. CSR Readiness® Pro is an award-winning bundle of privacy solutions that businesses use to mitigate the risk of data breach and consequences related to non-compliance associated with the handling of legally protected personal information.

CSR Readiness delivers a PROACTIVE solution, enabling small to medium size businesses (SMB) to assess their privacy systems and safeguards and presents them with suggested improvements for areas the program identifies as deficient. Many companies may still suffer a data breach – when this happens, Breach Reporting Service is the REACTIVE solution that provides privacy reporting for the SMB community.  CSR-V3 is an automated vendor privacy risk reduction tool which documents your vendor management, verification and validation due diligence.

Contact CSR




I understand CSR will use this information for the purpose of responding to my query or request. I have reviewed their Privacy Policy. I understand I can withdraw consent or make a Data Access Request at any time.