The Office for Civil Rights (OCR) at the US Department of Health and Human Services announced a settlement with a full-service diagnostic laboratory in Sandy Springs, Georgia, concerning a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s right of access provision. The rule requires that patients be able to access their health information in a timely manner. This investigation marks the 43rd case to be resolved under OCR’s HIPAA Right of Access Initiative, designed to improve compliance by regulated entities with the law. The laboratory agreed to implement a corrective action plan and pay $16,500 to resolve the investigation.
In August 2021, a complaint was filed with OCR alleging that the laboratory would not provide a personal representative with a copy of her deceased father’s medical records. The personal representative first requested access to her father’s records on July 7, 2021, but did not receive them until February 16, 2022, over seven months later. OCR’s investigation determined that the laboratory’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.
In addition to the monetary settlement, the laboratory also agreed to implement a corrective action plan that includes two years of monitoring by OCR.
OCR’s guidance on the HIPAA right of access is available here.
Compliance Perspective
Issue
The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access to their medical records from all covered entities. A covered entity must provide access to the requested PHI no later than 30 calendar days from receiving the individual’s request. This is an outer limit and covered entities are encouraged to respond as soon as possible. A covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster time frame when the covered entity is using health information technology in its day-to-day operations. If a covered entity is unable to provide access within 30 calendar days (for example, where the information is archived offsite and not readily accessible) the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access.
Discussion Points
- Review policies and procedures related to the HIPAA Privacy Rule’s patient right of access provision. Ensure the policies cover timely access.
- Train staff on the HIPAA Privacy Rule, minimally upon hire, annually, and if issues arise. Ensure that those who receive requests for record release are knowledgeable in the right of access provision, including timely response. Document that these trainings occurred and file the signed training document in the employee’s education file.
- Periodically audit to ensure that the facility’s policies and procedures for timely access to requested medical records are being followed by staff. Report audit results to the QAPI/QAA Committee.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
