On 12/15/2022, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) announced a settlement with a Florida healthcare provider concerning a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s right of access provision. The rule requires that patients be able to access their health information in a timely manner. This investigation marks the 42nd case to be resolved under OCR’s HIPAA Right of Access Initiative, designed to improve compliance with the law by regulated entities. The healthcare provider paid $20,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve the investigation.
In August 2019, a complaint was filed by a daughter acting as a personal representative on behalf of her deceased father, who had been a patient of the healthcare provider. The complainant alleged that the provider had failed to give her timely access to the requested medical records, despite multiple requests.
OCR’s investigation determined that the failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable). As a result of OCR’s investigation, the daughter finally received all of the requested records, nearly five months after her initial request.
In addition to the monetary settlement, the provider will undertake a corrective action plan that includes two years of monitoring.
“The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously. We will continue to ensure that healthcare providers and health plans take this right seriously and follow the law,” said OCR Director, Melanie Fontes Rainer. “[This] announcement speaks to the importance of accessing information and regulated entities taking steps to implement procedures and workforce training to ensure that they are doing all they can to help patients access.”
Compliance Perspective
Issue
The HIPAA Privacy Rule requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. An individual’s personal representative also has the right to access PHI about the individual in a designated record set upon request. A covered entity must provide access to the requested PHI no later than 30 calendar days from receiving the individual’s request. This is an outer limit and covered entities are encouraged to respond as soon as possible. A covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster time frame when the covered entity is using health information technology in its day-to-day operations. If a covered entity is unable to provide access 30 calendar days (for example, where the information is archived offsite and not readily accessible) the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access.
Discussion Points
- Review policies and procedures related to the HIPAA Privacy Rule’s patient right of access provision. Ensure the policies cover timely access.
- Train staff on the HIPAA Privacy Rule, minimally upon hire, annually, and if issues arise. Ensure that those who receive requests for record release are knowledgeable in the right of access provision, including timely response. Document that these trainings occurred and file the signed training document in the employee’s education file.
- Periodically audit to ensure that the facility’s policies and procedures for timely access to requested medical records are being followed by staff. Report audit results to the QAPI/QAA Committee.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
