On November 19, 2024, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $100,000 civil monetary penalty against a California mental health center. The penalty resolves an investigation into the center’s failure to provide a patient with timely access to her medical records.
OCR launched the investigation after receiving a complaint from a patient who reported not being given timely access to her medical records, despite multiple requests made in writing and by telephone. The patient first completed the medical records request form on March 18, 2020, but it took nearly seven months before the records were provided on October 20, 2020. During that time, she made several telephone calls in July and August 2020 regarding the status of the request, but still did not receive the records.
OCR determined that the center failed to take timely action in response to the patient’s right of access, in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. In July 2024, OCR issued a Notice of Proposed Determination to impose the $100,000 civil monetary penalty. The center waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination.
“Patients should never be in the position of needing to request their own medical records over and over again before getting access to them,” said OCR Director Melanie Fontes Rainer. “Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority. Healthcare providers are legally obligated to provide patients with timely access to their medical records. If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.”
Compliance Perspective
Issue
The HIPAA Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) and for a reasonable, cost-based fee. OCR enforces the HIPAA Privacy Rule, which establishes national standards to protect individuals’ medical records, sets limits and conditions on the uses and disclosures of protected health information, and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records.
Discussion Points
- Review policies and procedures related to the HIPAA Privacy Rule’s patient right of access provision. Ensure policies are up-to-date and specifically cover the requirements for timely access to health records and how to handle requests for copies of records.
- Train staff on the HIPAA Privacy Rule, at a minimum upon hire, annually, and whenever issues arise. Ensure that those responsible for processing record release requests are knowledgeable about the right of access provision, including timely responses to requests. Document all training sessions and maintain signed records in employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for timely access to requested medical records are being followed by staff. Report audit results to the QAPI/QAA Committee.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*