On August 1, 2024, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a civil monetary penalty of $115,200 collected against a provider of emergency medical services across the United States. The penalty resulted from an investigation prompted by a patient complaint alleging that the provider failed to provide timely access to the patient’s medical records.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) and for a reasonable, cost-based fee.
OCR received a complaint alleging that the provider did not grant timely access to a patient’s medical records despite numerous requests by the patient. After launching an investigation, OCR confirmed that the provider had indeed failed to provide the records in a timely manner. In response to the investigation, the provider sent the patient the requested records and revised its internal procedures to improve the management and tracking of access requests, ensuring compliance with legal requirements.
In October 2023, OCR issued a Notice of Proposed Determination to impose a civil money penalty. The provider chose to waive its right to a hearing and did not dispute OCR’s findings. As a result, OCR finalized its determination and imposed the civil money penalty on the provider.
“HIPAA gives patients a right to timely access to their medical records,” said OCR Director Melanie Fontes Rainer. “OCR will continue to enforce this right through investigations, and when necessary, by imposing civil money penalties.”
Compliance Perspective
Issue
The HIPAA Privacy Rule requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. A covered entity must provide access to the requested PHI no later than 30 calendar days from receiving the individual’s request. This is an outer limit and covered entities are encouraged to respond as soon as possible. A covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster time frame when the covered entity is using health information technology in its day-to-day operations. If a covered entity is unable to provide access 30 calendar days (for example, where the information is archived offsite and not readily accessible) the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access.
Discussion Points
- Review policies and procedures related to the HIPAA Privacy Rule’s patient right of access provision. Ensure the policies cover timely access.
- Train staff on the HIPAA Privacy Rule, minimally upon hire, annually, and if issues arise. Ensure that those who receive requests for record release are knowledgeable in the right of access provision, including timely response. Document that these trainings occurred and file the signed training document in the employee’s education file. An education program titled HIPAA Right of Access and the Cures Act provides detailed information on record release requirements and is available to all clients in Med-Net Academy (MNA) Compliance in the Privacy Category and in MNA Prime in the Additional CE Opportunities Category where it offers NAB and Florida Board of Nursing CEs.
- Periodically audit to ensure that the facility’s policies and procedures for timely access to requested medical records are being followed by staff. Report audit results to the QAPI/QAA Committee.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
