On December 12, 2019, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced the second settlement under its “Right of Access Initiative.” A health care company that provides primary care and interventional pain management services (“Provider”) will pay $85,000 and enter into a Corrective Action Plan (“CAP”) to settle potential violations of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
The Penalty
OCR received a complaint on March 6, 2019 that the Provider failed to timely provide a third party with a patient’s records when the patient had repeatedly directed the Provider to send them to the third party pursuant to HIPAA’s right of access for individuals. The complaint also alleged that the fees charged by the Provider for the records were not reasonable, cost-based fees as required by HIPAA and that the records were not produced in the electronic format requested by the patient. In response to the complaint, OCR provided technical assistance to the Provider and closed the complaint on March 18, 2019, directing the Provider to produce the records to the third party as requested by the patient and in compliance with HIPAA. However, on March 22, 2019, OCR received a second complaint about the Provider’s continued failure to comply with the patient’s request, despite having received explicit direction from OCR on how to comply. HHS opened a second investigation and determined that the Provider failed to provide access to the patient’s protected health information starting April 22, 2019 until May 12, 2019, when the Provider eventually did produce the records in the format requested without charge.
The CAP
The CAP includes an obligation for the Provider to submit a status list of all access requests to HHS every 90 days. The Provider must also review and revise its access policies, retrain its workforce members on the revised policies and report to HHS any workforce member’s violation of the access policies.
HIPAA and the Right of Access
Although state law may provide an even shorter response time that covered entities should be aware of, under HIPAA, a covered entity (or a business associate to which the task has been delegated) must respond to a patient’s request for access to the patient’s medical records within 30 days. It is permissible to extend that timeframe by an additional 30 days if the covered entity is unable to respond within the initial 30 days; however, the patient must be notified of the delay in writing. The written notification to the patient must state the reason for the delay and also the date the covered entity will respond to the access request. A covered entity may only utilize the 30-day extension once when responding to a patient’s request.
Practical Takeaways
This is the second Right of Access Initiative settlement in 2019. We discussed the first incident here. We urge covered entities and their business associates to note the following given OCR’s intense focus on compliance with HIPAA’s access requirements:
- Access requests include requests from patients directing the covered entity to send their records to a third party on the patient’s behalf. Such requests are subject to the same time limits and fee restrictions as applicable when a patient requests the record be sent to him or herself directly. Staff should be trained to categorize such requests appropriately to ensure they are addressed timely and proper fees (if any) are assessed.
- When handling individual rights requests, it is important to keep the individual apprised of the status of the request or any obstacles encountered when responding. Covered entities should consider sending a requesting patient confirmation of the request that includes the scope of the response and the timeline for receipt, as well as who to contact if the patient has questions about status. Maintaining an open line of communication with requestors supports good customer service and could aid in early detection and avoidance of potential noncompliance issues and patient complaints.
- Review your fee structure for individual access requests to ensure that they meet the OCR’s standards for a reasonable, cost-based fee.
- Consider evaluating your technological infrastructure and patient-facing technology, such as a patient portal, to assess additional modes of supporting a patient’s right to access their medical information.
If you have any questions or would like additional information about this topic, please contact:
- Mark Swearingen at (317) 977-1458 or mswearingen@wp.hallrender.com;
- Stephane Fabus at (414) 721-0904 or sfabus@wp.hallrender.com;
- Patricia Connelly at (317) 429-3654 or pconnelly@wp.hallrender.com; or
- Your regular Hall Render attorney.
For more information on Hall Render’s HIPAA, Privacy & Security services, click here.
