This month we look at a Health Insurance Portability and Accountability Act (HIPAA) enforcement action taken against a physician who failed to provide a patient with his requested medical records. This is an important case because it demonstrates the opportunities the physician had to correct the situation before he was ultimately fined.

Facts of the Case

The physician, Dr D, was a busy podiatrist who owned a practice with two offices. The issue began in September 2018, when a former patient, Mr L, called the podiatrist’s office requesting a copy of his records. After getting no response, he called again in October.

The patient had an open bill with the physician which his insurance had refused to pay, and he was attempting to appeal this decision by his health insurance company. After getting no response from his second call requesting the information, Mr L went into the office in November 2018 and filled out a written request for records. He was told they would be sent to him, but weeks passed, and he received nothing.

The following month, December 2018, Mr L called the office to follow up on his request and he was informed by an employee that the office was not trying to refuse his request, but rather had a lot of surgeries to complete before the end of the year and he should be patient.

By the end of January 2019, Mr L had run out of patience, and he called the physician again. This time, Dr D spoke to him and told him that his bill was unpaid and that if the patient or insurance didn’t pay the bill, the office would not release the records.

Mr L filed a complaint with the Office for Civil Rights (OCR), the enforcing authority for HIPAA violations, contending that he was a former patient and the physician’s office was improperly withholding his medical records.

In HIPAA enforcement actions, typically OCR issues a ‘technical assistance letter’ seeking to help the physician’s office to understand and comply with the rules and providing the office with a chance for the error to be corrected. In this case, the letter advised the podiatrist’s office about Mr L’s right to access his personal health information. It informed Dr D that the request must be acted upon no later than 30 days after getting such a request and that Dr D could not withhold or deny access to the records on the grounds that a bill was not paid. Mr L also received a letter from OCR saying that the investigation had been informally closed after providing technical assistance to the podiatrist’s office, and that if Mr L had any other problems, he should contact OCR.

In late April 2019, Mr L went to the office to inquire about finally picking up the records and he was told by an employee “we still have your request, and we have your number.”