On the Record: What to Know About HIPAA’s Right of Access Initiative

Since HIPAA became law in 1996, medical practices have had clear guidelines and regulations for the privacy and distribution of protected health information, including guaranteed patient rights to receive a comprehensive copy of their medical records upon request. More recently, in 2019, the U.S. Health and Human Services (HHS) Office for Civil Rights (OCR) announced the HIPAA Right of Access Initiative as an enforcement priority to further help patients have timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.

Under HIPAA, providers are required to provide patients with a copy of their health information within 30 days of their request, regardless of the patient’s current financial standing with the practice. If the request is denied, or if they need longer than 30 days, the practice must provide the patient with a written document informing them of the status and/or anticipated date that they can act on the request. In addition, practices are limited to charging only a reasonable, cost-based fee for the copy of the record. Although this rule has been enforced in certain instances in the past, up until 2019, enforcement was not a regular occurrence.

Since this new initiative was enacted, we have seen a clear trend of increased settlements for violations under this topic. It is essential that physicians and medical practices have a clear understanding of how to give patients appropriate access to their records to avoid undue liability.

Case in Point

OCR received a complaint from an individual alleging that beginning in June 2019, she made multiple requests to NY Spine Medicine, a private practice with offices in New York and Miami, for a copy of her medical records. Following her request, the practice provided some of the records but withheld the diagnostic films that the individual specifically requested. Upon receiving the complaint, OCR initiated an investigation and determined that NY Spine’s failure to provide timely access to all the requested medical records was a potential violation of the right of access standard. As a result, the complainant received all the medical records in October 2020—16 months after her initial request. As part of the resolution, NY Spine agreed pay $100,000 and comply with a corrective action plan that includes two years of monitoring by the agency.

This example is one of many that have occurred in recent years, with settlement amounts ranging from $3,500 to $160,000. It has become alarmingly clear that OCR is keeping a watchful eye on medical practices, and it’s important for practice leaders to ensure they are maintaining compliance.

Staying Compliant

To avoid liability, healthcare providers should pay particular attention to this aspect of their operations. One way to protect themselves would be to create a practice policy that clearly defines procedures for fulfilling a patient’s right of access to their medical records, with an emphasis on timely and complete response. Staff should be trained on the proper legal bases for denial, as well as the associated processes that align with HIPAA regulations. Some key points of staff education should include:

• What the HIPAA Right of Access Initiative is
• How to carefully review all medical record requests
• Guidelines associated with disclosing records of minors within the practice’s state
• Proper legal bases for denial
• How to provide access in a timely and compliant manner
• How to provide a denial notice consistent with the privacy rule’s access requirements

In certain instances, OCR has reached out to practices directly to provide assistance. If this happens, practice leaders should fully implement the guidance received from OCR to avoid a financial settlement and corrective action plan. Once a practice receives communication from OCR, it should work quickly to resolve the issue and provide the patient with the requested access as soon as possible.

As many of the enforcement actions show, OCR is not hesitating to settle alleged violations of the Privacy Rule’s right of access with both a financial penalty and a corrective action plan. By taking the time to establish clear protocols and educate staff, practices can protect themselves against legal action. If you need assistance developing policies or have any questions about this topic, please call 800-662-7917 to speak with one of Curi Advisory’s Risk Solutions experts.