On April 1, 2024, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $100,000 civil monetary penalty against a New Jersey skilled nursing facility that provides long-term care and rehabilitation services. The penalty resulted from the facility’s failure to promptly provide a patient’s personal representative with access to medical records, violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
In May 2020, OCR had received a complaint alleging that the facility failed to provide a personal representative with access to his mother’s medical records. The records were allegedly withheld even after the facility received sufficient documentation demonstrating that the son was serving as his mother’s personal representative. The requested records were sent to the personal representative in November 2020, as a result of OCR’s investigation.
OCR found that the facility failed to respond timely to a HIPAA right of access request. In September 2023, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. The facility waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $100,000.
“A patient’s timely access to health records is paramount for medical care. The Office for Civil Rights continues to receive complaints from individuals and personal representatives on behalf of individuals who do not receive timely access to their health records,” said OCR Director Melanie Fontes Rainer. “OCR will continue to vigorously enforce this essential right to ensure compliance by healthcare facilities across the country.”
Compliance Perspective
Issue
The HIPAA Privacy Rule requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. An individual’s personal representative also has the right to access PHI about the individual in a designated record set upon request. A covered entity must provide access to the requested PHI no later than 30 calendar days from receiving the individual’s request. This is an outer limit and covered entities are encouraged to respond as soon as possible. A covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Further, individuals may reasonably expect a covered entity to be able to respond in a much faster time frame when the covered entity is using health information technology in its day-to-day operations. If a covered entity is unable to provide access 30 calendar days (for example, where the information is archived offsite and not readily accessible) the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access.
Discussion Points
- Review policies and procedures related to the HIPAA Privacy Rule’s patient right of access provision. Ensure the policies cover timely access.
- Train staff on the HIPAA Privacy Rule, minimally upon hire, annually, and if issues arise. Ensure that those who receive requests for record release are knowledgeable in the right of access provision, including timely response. Document that these trainings occurred and file the signed training document in the employee’s education file. An education program titled HIPAA Right of Access and the Cures Act provides detailed information on record release requirements and is available to all clients in Med-Net Academy (MNA) Compliance in the Privacy Category and in MNA Prime in the Additional CE Opportunities Category where it offers NAB and Florida Board of Nursing CEs.
- Periodically audit to ensure that the facility’s policies and procedures for timely access to requested medical records are being followed by staff. Report audit results to the QAPI/QAA Committee.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
