The following article relates to HIPAA Right to Access Patient Records. The Office of Civil Rights (OCR) is cracking down on Covered Entities and Business Associates who have complaints filed with the OCR. If you have our HIPAA Compliance Program, this is part of the annual training requirement and the policy and procedures are found in Chapter 1, item # 4 Access to Protected Health Information. If you do not have our HIPAA program, please ensure you have this policy and procedure with the required forms. This article was written by Jane Anderson.
As the HHS Office for Civil Rights (OCR) continues its crackdown on providers that fail to comply with the HIPAA right of access, privacy experts warn that it’s past time for covered entities (CEs) and business associates (BAs) to upgrade their access policies and procedures, and to take the right of access very seriously.
In February, OCR announced the 15th and 16th settlements in its Right of Access Initiative. On Feb. 10, Renown Health P.C., a private nonprofit health system in Nevada, agreed to take corrective actions and pay $75,000 to settle a potential violation of the right of access standard.[1] And just two days later, Sharp HealthCare, doing business as Sharp Rees-Stealy Medical Centers, agreed to take corrective actions and pay $70,000 to settle a potential violation.[2]
Attorney Samantha Gross, associate with Saul Ewing Arnstein & Lehr LLP in Philadelphia, said multiple issues play into these potential violations. There is often confusion on the part of the covered entity as to how to comply with these specific HIPAA rules, in particular with unique requests such as from third parties (as seen in the recent Renown settlement) or requesting psychotherapy notes (as seen in the Riverside Psychiatric Medical Group settlement[3] in November). There is also an administrative burden of replying to such requests in a timely manner when CEs have a number of other demands. However, compliance with the HIPAA rules, including the right of access, remains critical, Gross told RPP.
In addition, some CEs simply aren’t paying enough attention to this requirement, noted Rebecca Herold, president of SIMBUS360 and CEO of The Privacy Professor. “While most CEs, in my experience, have assigned, even in some offhand verbal instance, responsibility for this activity, they typically have then [done] nothing beyond that; no plans or procedures were made to guide and consistently take actions for responding to such requests. They have neglected an important part of being able to respond in a timely manner—to meet the time requirements of this HIPAA requirement,” Herold said.
Attorney Eric Fader, a partner with Rivkin Radler in New York City, said that the message OCR is trying to send to providers with the right of access settlements is that “ignorance of your responsibilities under HIPAA is no excuse. Don’t tell us you’re too busy. You must train your workforce to respond timely to patients’ requests. Don’t pretend you didn’t know you had to do this, because we, the American Medical Association and other organizations, and mainstream news sources have all been talking about this for at least the past couple of years. And above all else, if we investigate you and you tell us you’ll do something, you’d better do it.” Fader told RPP that “any provider that hasn’t reviewed its internal policies on providing access to patient records and made sure that their workforce knows how to speak to patients and process these requests really has no good excuse for noncompliance.”
Health care organizations have neglected the right of access, which led OCR to hone in on it, Fader said. “The audits of HIPAA-covered entities and business associates that OCR has been doing for many years didn’t start out focusing on this problem,” he said. “However, it gradually became apparent, and in the past few years it has been recognized that the country’s health care costs can only be reduced through better coordination of care. It’s impossible to coordinate care among unrelated providers effectively if they don’t have timely access to patients’ records, including those records generated by other providers.”
Settlements Share Common Framework
With a total of 16 settlements announced by OCR so far in its access initiative, some common themes have emerged. According to Herold, these include:
- CEs and BAs can no longer expect to ignore privacy rule requirements and not pay a big penalty.
- No CE or BA is too small to be penalized.
- Patients or family members increasingly are reporting organizations that don’t give them access to their patient data, or to the data of the people they legally represent.
- CEs and BAs are still deciding not to follow the HIPAA requirements they think are too burdensome.
“CEs and BAs are still handling HIPAA compliance in ways that are penny-wise and many pounds-foolish,” Herold said. “Leadership at these organizations need to wake up and realize that they could actually lose their business by following the path of doing as little as possible, at the least amount of cost, when it comes to HIPAA security and privacy compliance.”
OCR is trying to make a point with the settlements, Fader said. He agreed they follow similar patterns. “It’s usually the same basic facts,” he explained. “Patient requests records. Patient is ignored entirely or receives only a few of the records (perhaps copies of test results that need to be burned onto a CD are what is omitted). Patient complains to OCR. OCR contacts provider and reminds them of their obligation. Provider says they’ll provide the records. OCR closes the case without penalty. Provider still doesn’t provide the records. Patient complains again. OCR reopens the case, investigates, and fines the provider. OCR announces the settlement publicly, trying to maintain a steady drumbeat of settlements to gradually educate the public.”
The COVID-19 pandemic has played a role, Fader said. “Many of the settlements—including one that a former client of my firm had to pay last year under the Right of Access Initiative—seem to have arisen out of violations that were caused, in part, by COVID-19. Many providers reduced office hours last year or had to furlough some administrative employees, and they simply didn’t have sufficient administrative support to respond to patient requests. My guess is that if a practice has one ‘front desk’ person and one administrative/billing person, and the latter is working from home some or all of the time where he/she may be less efficient, there will be a temptation to prioritize bills and follow-ups with insurance companies, and pay less attention to patients’ own requests for their records.”
Expect Continued Focus on Access
Providers should expect more enforcement and more emphasis on the right of access from OCR going forward, Gross said. “In 2020 OCR vigorously enforced individuals’ rights to access and control their medical records. I anticipate right of access compliance will continue to be an enforcement priority under the Biden administration.” In addition, Gross pointed out, OCR’s long-awaited revisions to the HIPAA privacy rule include an expansion to the right of access.[4] “Covered entities and business associates can expect a continuation of enforcement in this arena from OCR in 2021,” Gross predicted.
In addition, Herold pointed out that the growth in popularity of health apps, devices and direct-to-consumer health services has fueled interest on the part of patients to gain access to their own medical records. “The general public has been increasingly expressing concerns about the security for and access to their health data, and not being able to get access to it, since the HIPAA privacy rule went into effect in 2003,” Herold said. “OCR has been listening to those concerns.” As publicity for the Right of Access Initiative has increased, more members of the public have decided to submit their own complaints, she added.
With these settlements, OCR is sending a clear message to providers: Pay attention to the right of access, Gross said: “OCR is sending the message that patient access to medical records is a civil rights issue that is taken seriously by the U.S. Department of Health and Human Services. OCR is additionally demonstrating that covered entities and business associates of all sizes need to comply with the HIPAA rules. Likewise, the settlement amounts varied widely. OCR is making a point not to limit settlements to large health systems or organizations but is also enforcing the HIPAA rules against small provider groups and solo practitioners.”
1 HHS, “OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative,” news release, February 10, 2021, https://bit.ly/3uQCpWn.
2 HHS, “OCR Settles Sixteenth Investigation in Right of Access Initiative,” news release, February 12, 2021, https://bit.ly/3b23PAz.
3 Jane Anderson, “New Access Settlements Highlight Third-Party Right, Psych Notes, Need to Respond to OCR,” Report on Patient Privacy 20, no. 12 (December 2020), http://bit.ly/2PLKBHh.
4 Jane Anderson, “Long-Awaited HIPAA Privacy Revision NPRM on Care Coordination Released,” Report on Patient Privacy 21, no. 2 (February 2021), http://bit.ly/2OuyPjQ.
