The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) announced a settlement on August 24, 2023, with a health insurer that provides insurance coverage to millions of individuals across the US, concerning a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s right of access provision. The rule requires that patients be able to access their health information in a timely manner. This investigation marks the 45th Right of Access case to be resolved via voluntary settlement. The company agreed to implement a corrective action plan that includes one year of monitoring by OCR and to pay $80,000 to resolve the investigation.
In March 2021, OCR received a complaint alleging that the company had not responded to an individual’s request for a copy of their medical record. The individual first requested a copy of their records on January 7, 2021, but did not receive the records until July 2021, after OCR initiated its investigation. This was the third complaint OCR received from the complainant against the company alleging failures to respond to his right of access. OCR’s investigation determined that the company’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.
“Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement,” said OCR Director, Melanie Fontes Rainer.
OCR’s guidance on the HIPAA right of access is available here.
Compliance Perspective
Issue
The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access to their medical records from all covered entities. A covered entity must provide access to the requested protected health information (PHI) no later than 30 calendar days from receiving the individual’s request. This is an outer limit and covered entities are encouraged to respond as soon as possible. A covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster time frame when the covered entity is using health information technology in its day-to-day operations. If a covered entity is unable to provide access within 30 calendar days (for example, where the information is archived offsite and not readily accessible) the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access.
Discussion Points
- Review policies and procedures related to the HIPAA Privacy Rule’s patient right of access provision. Ensure the policies cover timely access.
- Train staff on the HIPAA Privacy Rule, minimally upon hire, annually, and if issues arise. Ensure that those who receive requests for record release are knowledgeable in the right of access provision, including timely response. Details are available in the Med-Net Academy Prime program titled HIPAA Right of Access and the Cures Act. Document that these trainings occurred and file the signed training document in the employee’s education file.
- Periodically audit to ensure that the facility’s policies and procedures for timely access to requested medical records are being followed by staff. Report audit results to the QAPI/QAA Committee.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*