HIPAA Compliance Lessons Learned from OCR Civil Monetary Penalties

$70,000. That was the amount of one Office of Civil Rights (OCR) Civil Monetary Penalty (CMP) for non-compliance with HIPAA. To date, there have been 20 CMPs issued by OCR. Don’t be the next healthcare provider to be faced with a fine. All it takes is due diligence and a commitment to rigorous compliance.

So why was a healthcare provider fined $70,000? The settlement and corrective action plan were the results of a complaint filed with the OCR in June 2019. It claimed that the facility failed to take timely action in response to a patient’s records access request directing that an electronic copy of protected health information in an electronic health record be sent to a third party. The OCR provided technical assistance on the alleged failure to provide the patient with access to the records and requested that the provider respond to the patient’s request. In August 2019, the OCR received a second complaint from the same patient alleging that the provider still had not responded to the patient’s records access request. The OCR investigated the matter and the provider provided access to the requested records.

Lesson Learned: Pay Attention to OCR Technical Assistance… and Take Action to Resolve the Complaint

The OCR typically only issues technical assistance in response to a complaint—so it goes without saying that you need to take technical assistance seriously. Following the guidance given ensures you are not acting as a barrier to information for the patient and will help you to avoid a penalty. While a response to technical assistance is not required, you are required to act upon the complaint; in other words, you need to release the information requested by the patient.

If you don’t agree with a complaint or don’t understand why you received the technical assistance, you can contact the OCR. An investigator and their contact information will be included in the technical assistance. You—or compliance or legal officer—can talk directly to the investigator to understand how you can ensure compliance. Take advantage of this opportunity to understand why you may be in violation of HIPAA and what your responsibilities are to the patient in this specific situation.

Want more lessons? Access my recorded webinar!
Listen to my webinar, Why Rigorous Compliance is Critical in ROI: Lessons learned from 18 OCR Civil Monetary Penalties.

Once you have discussed the complaint, take the necessary action to resolve it and then use what you learned to educate your team so further complaints are not made. It sounds simple, but it’s an ongoing process that requires you to continuously review and refine your compliance program. Ciox has taken a proactive approach to continuous improvement using Lean Six Sigma principles; learn more about how we reinvented our compliance program and improved quality on my webinar, Compliance & Quality – It’s Time to Learn a New Language.

HIPAA Compliance is not easy, but it’s good to know that the OCR is available to help—before issuing penalties. Use the technical assistance not only to resolve single complaints but to improve your compliance program and ensure you are supporting every patient’s right of access to their medical information.


Earlier this year, I wrote an article in the Journal of AHIMA about Patient Right of Access and OCR fines. More fines have been issued since then, but the lessons remain the same. Read the article here.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *