On July 15, 2022, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) announced its resolution of eleven separate investigations against covered entities for violations of the individual’s right of access under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). OCR’s continued efforts with respect to the right of access demonstrate its commitment to ensuring individuals have the right to timely and affordable access to all of their protected health information (“PHI”) contained in designated record sets. As health care continues to become a more patient-centered system that puts individuals “in the driver’s seat” with respect to their health care and related PHI, covered entities and business associates must remain diligent in their commitment to compliance or face potentially costly consequences.
Following is a link to a summary of the recent enforcement actions, an overview of key takeaways from the recent enforcement actions and a summary of HIPAA’s right of access for those who may need a refresher.
Click here for a summary of the recent enforcement actions.
Right of Access Initiative Observations and Practical Takeaways
Based on a review of the enforcement actions under OCR’s Right of Access Initiative, HIPAA covered entities are well-advised to consider the following observations and recommendations:
- All covered entities are at risk for noncompliance. OCR’s enforcement activity to date has affected a wide variety of organizations, regardless of size, geographic location and type of practice. Solo practitioners and small practices, including dentists, podiatrists and ophthalmologists, are not immune and may be as likely to receive a fine or penalty as larger, multifacility health systems for failing to comply with access rights requirements. Additionally, these recent enforcement actions are typically the result of noncompliance with respect to a single individual, meaning potential liability is even greater where a covered entity is regularly failing to comply with any aspect of the right of access as a routine matter.
- Accurately describe the right of access in the Notice of Privacy Practices (“NPP”). A covered entity’s NPP must inform individuals of their access rights using plain language. While OCR has indicated that covered entities can require individuals to request access in writing or have individuals complete a form to enable appropriate identity verification, covered entities must notify individuals of these requirements in advance (such as through the NPP) and such requirements cannot be burdensome. Covered entities cannot require that requests be submitted in person. Access procedures cannot pose an undue burden or unnecessary delay to the right of access. The covered entity is assumed capable of producing certain electronic formats like a PDF copy but must make other readily producible forms or formats available upon request. This may include production through an API or patient portal.
- Remember that personal representatives stand in the shoes of the patient. Personal representatives generally must be treated as if they are the patient when exercising the patient’s right to access. Covered entities must ensure policies and procedures regarding personal representatives are up-to-date and accurate so that identity verification, evaluation of authority and delivery of records can occur within the required time frames.
- Ensure it is possible to provide access to the complete designated record set. As defined by HIPAA, the “designated record set” includes information beyond that contained in the electronic health record, such as information in imaging, communication or billing systems. Accordingly, covered entities must identify and document their designated record set and ensure that workforce responding to access requests can produce the entire designated record set. When an individual requests access to the entire designated record set, covered entities may not produce a subset, an abstract or a summary without the individual’s prior consent.
- Implement a process to log and track receipt of and response to access requests. This process must capture all requests received by the covered entity, whether submitted to a health information management department or billing department. Misplaced or forgotten requests pose a major compliance risk. Based on the recent corrective action plans, OCR appears to expect that covered entities will have such processes in place to ensure timely and complete responses to an individual’s requests for access.
- Draft clear and accurate policies and procedures on the right of access. Policies and procedures must be regularly reviewed and updated to address regulatory changes and compliance risks. Policies must address all aspects of right of access, including requirements to transmit copies directly to a designated third party, reasonable fees and appropriate denial processes. Covered entities may not deny access because there is an outstanding bill for services, and they may not require prepayment of fees for access.
- Invest in an adequate and well-trained workforce. Two recent enforcement actions stemmed from workforce error or misunderstanding of right of access requirements This demonstrates that even small, good-faith mistakes can lead to significant liability. Staff must be able to accurately identify, assess and respond to access requests in a compliant manner. Staffing levels need to be adequate to address the volume of requests and enable staff to provide a timely and complete response. This requires regularly educating and training workforce members and applying appropriate sanctions for noncompliance. Auditing response times and completeness of record productions can help covered entities identify where additional clarification or training may be needed. Workforce members receiving questions about how to access records must know where to direct individuals for additional information and where to refer verbal or written requests so that they may be timely processed.
- Assess arrangements with vendors that respond to access requests on the covered entity’s behalf. Covered entities that contract with record production vendors to respond to access requests need to ensure that such vendors act in compliance with HIPAA. Because such vendors function as business associates, and may act as agents, of the covered entity, vendor noncompliance poses a particular risk to the covered entity. Accordingly, vendors must be required to respond timely, with complete information, and at an appropriate fee. Covered entities need to ensure that adequate contractual remedies are available for vendor noncompliance.
- Do not fail to respond to or be uncooperative with an OCR investigation. Failing to cooperate with an OCR investigation likely will cause OCR to impose a Civil Money Penalty (“CMP”) that will exceed any resolution amount that could otherwise have been reached. Covered entities should timely respond to OCR data requests with complete and accurate information. Receipt of and response to such requests must be documented. Covered entities must also document any action taken in response to any technical guidance issued by OCR. Covered entities are encouraged to collaborate with counsel to ensure that communications with OCR accurately address regulatory compliance and protect organizational interests.
- Remember to evaluate and comply with more stringent federal and state laws. HIPAA sets the floor, not the ceiling, for access to health information. Accordingly, if federal or state law provides (i) greater access rights; (ii) access within a faster timeframe; and/or (iii) access at a lower or no cost, these laws will preempt HIPAA. The HIPAA right of access requirements also implicate compliance with the new Information Blocking Rule, which has requirements that overlap with HIPAA’s right of access and has yet to be enforced. The recent OCR enforcement actions predate the Office of the National Coordinator for Health Information Technology’s enforcement of the Information Blocking Rule. Health care providers therefore could be subject to investigation and penalty under both sets of regulations for failure to comply with access obligations in the future.
- Treat the release of information as a customer service activity. Individuals expect their information to be provided to them promptly and may be quick to complain. Some of the recent enforcement actions were based on complaints filed within days of the individual not receiving access and before the timeframe to provide access had run. If a covered entity is not able to provide the records within 30 days, they should proactively communicate this to the requestor and obtain a 30-day extension, as allowed by HIPAA, to help manage the individual’s expectations. Covered entities with a workforce that provides efficient, consistent and honest communication with requestors may help avoid complaints to OCR and subsequent investigation.
HIPAA Right of Access Refresher: Requirements and Penalties
To support the individual’s right of access, the HIPAA Privacy Rule requires that covered entities:
- Document their designated record sets;
- Document titles of persons or offices responsible for receiving and processing requests for access; and
- Provide access to PHI contained in a designated record set as requested by patients and their personal representatives. This includes allowing individuals to inspect and/or obtain a copy of PHI. However, psychotherapy notes and PHI compiled in reasonable anticipation of litigation are excluded from the scope of this access right.
Covered entities may require “access requests” to be submitted in writing if they inform individuals of this requirement, often accomplished through the notice of privacy practices. Individuals are also permitted to request that copies of such PHI be provided to a designated third party; however, the individual’s request must be in writing, signed by the individual and clearly identify the designated person and where to send the copy of the PHI.
Responding to Requests for Access
How long does a covered entity have to respond to a request?
The covered entity must respond to requests within 30 calendar days from receiving the individual’s request unless they exercise their ability to extend the period once by no more than an additional thirty days. To extend, the covered entity must inform the individual in writing within the initial 30-day response period of the reasons for the delay and the date by which the covered entity will provide access. Note that state law may set forth more stringent timing requirements.
Can the PHI be shared with the individual in any form or format?
A covered entity must provide the PHI in any readily producible form and format requested by the individual or otherwise in a readable hard copy form or other form and format as agreed to by the covered entity and individual. If maintained electronically, the PHI must generally be provided electronically, if requested. If the individual agrees in advance to instead receive a summary or explanation of the requested PHI and to the imposition of any related cost-based fee, the covered entity may instead provide a summary or explanation. The covered entity may discuss the scope, format and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access.
Can fees be charged?
Only a reasonable cost-based fee may be imposed for the provision of access that only takes into account those specific cost categories identified in the regulations, subject to limitations determined in recent case law. Remember that fees must also comply with more stringent state law.
Can a covered entity deny an access request and how does it do so?
A covered entity may deny access only in limited circumstances outlined in the regulations. A covered entity must provide the individual with written notice of any denial of access, in whole or in part. The denial must be in plain language and describe the basis for denial. If the denial is based on reviewable grounds, the notice must also inform the individual of the right to have the decision reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny, how to request such a review and how to submit a complaint to the covered entity or HHS. OCR may consider a failure to provide all requested records to be a denial of access, whether or not such denial is communicated to the individual.
What if an individual requests a review of the denial?
Certain grounds are non-reviewable as outlined in the regulations. However, individuals have a right to request a review of any denial based on a licensed health care professional’s determination in the exercise of professional judgment that the access is reasonably likely to endanger the life or physical safety of the patient or another person (if requested by the patient) or to cause substantial harm to the patient or another person (if requested by a personal representative). Also reviewable is a denial based on a licensed health care professional’s determination in the exercise of professional judgment that the access is reasonably likely to cause substantial harm to another person referenced in the PHI (other than a health care provider).
What if the covered entity does not have the PHI the individual is requesting?
If the covered entity does not maintain the PHI that is the subject of the individual’s request for access but knows where the requested PHI is maintained, the covered entity must inform the individual where to direct the request for access.
Penalties
Current CMPs for noncompliance with HIPAA, including the right of access, range from $127 to $63,973 per violation based on the covered entity’s level of culpability. However, penalties for violations due to willful neglect that are not timely corrected can be as high as $1,919,173 per violation. The maximum calendar-year penalty cap for all violations of an identical HIPAA provision is currently $1,919,173.
If you have any questions or would like additional information about this topic, please contact:
- Stephane Fabus at (414) 721-0904 or sfabus@wp.hallrender.com;
- Patricia Connelly at (317) 429-3654 or pconnelly@wp.hallrender.com;
- Krystal Villarruel at (317) 429-3639 or kvillarruel@wp.hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
Publications and Webinars from the Hall Render Team Information Blocking Toolkit from the Hall Render TeamAdditional Resources