On December 15, 2023, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced that a multi-specialty physician group serving patients throughout New Jersey and Southern Connecticut has agreed to pay $160,000 to resolve multiple complaints filed with OCR concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s Right of Access provision. The HIPAA Right of Access provision requires that individuals or their personal representatives have timely access to their health information for a reasonable cost. OCR’s investigation revealed that the physician group failed to provide access within 30 calendar days.
In Fall 2021, OCR received six complaints alleging that the physician group failed to provide copies of medical records requested by an adult patient or by the parents of minor patients. In February 2022, OCR initiated investigations of these Right of Access complaints. The complaints disclosed that patients received their requested records between 84 and 231 days after their respective requests were submitted. Those timeframes are well outside of the HIPAA Right of Access requirement that providers must give access to medical records requested no later than 30 calendar days from receiving the individual’s request. OCR’s investigation determined that the physician group’s failure to provide timely access to the requested medical records was a potential violation of HIPAA.
In addition to paying $160,000 to OCR, the physician group will implement a corrective action plan that requires workforce training, reporting records requests to OCR, and reviewing and revising as necessary its right of access policies and procedures to provide timely responses to requests. Under the plan, OCR will monitor the group for one year.
“Healthcare providers must make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority,” said OCR Director Melanie Fontes Rainer. “Access to medical records is a fundamental right under HIPAA, and one for which OCR receives thousands of complaints each year. This is the law—providers must proactively respond to record requests and ensure timely access. Access to medical records empowers patients and their families to make decisions about their healthcare and improve their health overall. It is critical that providers follow the law.”
OCR’s guidance on the HIPAA Right of Access is available here.
OCR’s guidance on the HIPAA Privacy Rule and personal representatives is available here.
Compliance Perspective
Issue
The HIPAA Privacy Rule requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. An individual’s personal representative also has the right to access PHI about the individual in a designated record set upon request. A covered entity must provide access to the requested PHI no later than 30 calendar days from receiving the individual’s request. This is an outer limit and covered entities are encouraged to respond as soon as possible. A covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster time frame when the covered entity is using health information technology in its day-to-day operations. If a covered entity is unable to provide access 30 calendar days (for example, where the information is archived offsite and not readily accessible) the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access.
Discussion Points
- Review policies and procedures related to the HIPAA Privacy Rule’s patient right of access provision. Ensure the policies cover timely access.
- Train staff on the HIPAA Privacy Rule, minimally upon hire, annually, and if issues arise. Ensure that those who receive requests for record release are knowledgeable in the right of access provision, including timely response. Document that these trainings occurred and file the signed training document in the employee’s education file. A program titled HIPAA Right of Access and the Cures Act is available to all clients in the Privacy Category of Med-Net Academy. It is also available in MNA Prime where it is approved by NAB for 1.0 CEs.
- Periodically audit to ensure that the facility’s policies and procedures for timely access to requested medical records are being followed by staff. Report audit results to the QAPI/QAA Committee.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
