The U.S. Department of Health and Human Services Office of Civil Rights (OCR) has taken more than 20 enforcement actions concerning patients’ rights to timely access to their medical records from their provider. Those enforcement actions and their monetary penalties can be found linked from here.
For comparison purposes between the GDPR and HIPAA, here is the summary of a recent enforcement action from Finland, below. As seen on EDPB:
Background information
Date of final decision: 16 December 2021
Cross-border case or national case: National case
Legal Reference: Right of access (Article 15), Transparency (Article 12), Information to be provided where personal data are collected from the data subject (Article 13)
Decision: Infringement of the GDPR, administrative fine and reprimandSummary of the Decision
Origin of the case
The customer of the medical clinic who complained to the Office of the Data Protection Ombudsman stated that they had not received their patient records from the clinic. The Office of the Data Protection Ombudsman requested information from the clinic on which authority it deemed to be the data controller for patient records with respect to medical appointments of the clinic’s owner. The clinic did not, however, provide an appropriate statement regarding the matter.
Key Findings
The Deputy Data Protection Ombudsman considers that the clinic failed to implement the customer’s right to inspect their own data in accordance with the GDPR or to give a reason for restricting this right. The clinic also failed to inform its customers in an adequate manner about the processing of personal data, or to what extent it acted as the controller for patient records generated in its operations.
Decision
The Deputy Data Protection Ombudsman issued the company a reprimand for violating the GDPR and ordered it to change its procedure to comply with the data protection regulations on informing data subjects and implementing their rights. The Sanctions Board imposed an administrative fine of EUR 5,000 on the company. The Board considers the company’s practice to be systematic, in addition to which the violation was long standing and affected a large number of data subjects.
For further information:
EDPB has a disclaimer on their site as follows:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.