Behavioral Health Provider

Behavioral Health Provider Fined for Right of Access Violation


March 30, 2021 | Reading Time: 2 Minutes

Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

On March 24, 2021, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its latest right of access violation settlement. Arbour Hospital, a behavioral health provider, based in Massachusetts, agreed to a $65,000 fine and to implement a corrective action plan to settle potential violations of the HIPAA right of access. More details on the settlement are discussed. 

Why was the Behavioral Health Provider Fined?

Under the HIPAA right of access standard, behavioral health providers are required to provide patients with access to their medical records within 30 days of a request, in the format the patient requests them in. Under this provision, providers are limited in how much they can charge (reasonable cost-based fee) to provide copies of medical records to patients. Although behavioral health providers do not need to provide access to psychotherapy notes, they must provide patients with access to the rest of their records.

In July 2019, the HHS’ OCR received a complaint from a patient alleging that Arbour Hospital (Arbour) failed to provide him with timely access to his medical records; the patient initially requested his records in May 2019. As a result of the complaint, OCR conducted an investigation and provided Arbour with technical assistance to provide the patient with access to his records. OCR then closed the complaint. However, OCR received a second complaint on July 28, 2019, when the patient still had not received his requested records. After the second OCR investigation concluded in November 2019, Arbour finally provided the patient with his medical records.

“Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care,” said Acting OCR Director Robinsue Frohboese.

What are the Terms of the Right of Access Violation Settlement?

The behavioral health provider has agreed to pay a fine of $65,000 and enter into a corrective action plan (CAP) that includes one year of OCR monitoring. The provisions of the CAP require Arbour to develop and implement:

  • A “Right of Access to PHI” policy to ensure comprehensive and timely responses to requests for records
  • Protocols for training all Arbour’s workforce members and business associates that are involved in receiving or fulfilling access requests, as necessary and appropriate to ensure compliance with the “Right of Access to PHI” policy
  • A sanctions policy, to be applied against Arbour workforce members who fail to comply with the “Right of Access to PHI” policy
  • A process for reviewing business associate performance with regard to access requests and responses and for terminating relationships with business associates who fail to permit Arbour to comply with the “Right of Access to PHI” policy

To read the full settlement, please click here.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance, with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Anonymous Please
Anonymous Please
2 years ago

I worked for Arbour (community clinic, not hospital, but same organization) years ago, and I wouldn’t be surprised if they failed to provide the files because they couldn’t find them. Of course, my experience was when there was no EHR, just paper records… and admin staff regularly misfiled those or lost them, then claimed that they had never been submitted. And counselors were only notified of this after three months had passed, when we were told we had to re-submit or hunt through all the clients’ files, but would not be paid in any case.

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...