The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced the 14th settlement in its ongoing HIPAA Right of Access Initiative. Banner Health, a Phoenix-based health system that operates 30 hospitals and many other healthcare facilities, agreed to pay $200,000 for failing to provide patients with timely access to their medical records.

One patient requested her medical records in December 2017 but did not receive them until May 2018, and a second patient requested his records in September 2019 but did not receive them until February 2020. In both instances, Banner Health did not comply with the HIPAA Privacy Rule’s right of access standard, which requires timely access to records for a reasonable cost-based fee.

Under its settlement with OCR, Banner Health must revise its written policies and procedures, train and retrain its workforce, and submit periodic written reports to OCR for two years. Although the amount of the fine reflects Banner Health’s size, other recent Right of Access settlements have targeted smaller providers, so all healthcare providers must be mindful of their statutory obligations when patients request their records.