Updated October 9, 2020
Patients have the right to see their own medical records. This simple concept is a HIPAA requirement and is easy to comply with. Yet many healthcare providers misunderstand it and create roadblocks or unnecessary delays. A better idea would be to understand the rule and make sure to comply – and avoid investigations and fines.
Right of Access Initiative
The Office for Civil Rights (OCR), the agency that enforces HIPAA, has long considered the patient right of access a priority, and recently announced resolution agreements with five healthcare providers that failed to provide access as HIPAA requires. The fines for the five settlements range from $3,500 to $70,000
About a year ago OCR announced its first enforcement action and settlement in its Right of Access Initiative. OCR announced the Initiative in 2019 as an enforcement priority to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. The five settlements announced on September 15, 2020 bring OCR’s total to seven completed enforcement actions under the Right of Access Initiative.
On October 7 and October 9, 2020, OCR announced two more settlements under the HIPAA Right of Access Initiative, bringing the total number of cases to nine since the Right of Access Initiative began last year.
But long before, OCR has cautioned that obstacles to patients receiving access were HIPAA violations. In 2016 for example, OCR warned that requiring someone to execute an “authorization” in order to obtain access to their own records may create an impermissible obstacle under HIPAA. Learn about the difference between authorization and access here.
Five Recent Cases Enforcing Right of Access
In addition to the fines, each of the covered entities agreed to adopt a corrective action plan (CAP) to improve HIPAA compliance.
Behavioral Health, Nonprofits and Small Providers are not Immune to Enforcement
Several things stand out about these five cases. Three of them provide behavioral health services and two of them are quite small. The smaller organizations paid smaller fines, but they were still investigated, and must implement “corrective actions” to improve compliance and be monitored by OCR going forward, like the other three. Another factor is that each of the investigations could have been resolved earlier without fines, but the patterns were the same – they did not take the investigation seriously or act quickly enough. Policies were absent, or weren’t being followed.
The message is clear, whether small or large, for profit or not for profit, all covered entities are expected to take HIPAA seriously, know the rules, and follow through.
$38,000 – Housing Works, Inc.
This non-profit organization provides healthcare, homeless services, job training and advocacy and legal aid support for people living with and affected by HIV/AIDS in New York city. (agreed to a one-year CAP)
$15,000 – All Inclusive Medical Services, Inc.
AIMS, based in Carmichael, California, is a multi-specialty family medicine clinic that provides a variety of services including internal medicine, and pain management and rehabilitation. (agreed to a two-year CAP)
$70,000 – Beth Israel Lahey Health Behavioral Services
Beth Israel Lahey Health Behavioral Services is the largest network of mental health and substance use disorder services in the greater Boston area and eastern Massachusetts. (agreed to a one-year CAP)
$3,500 – King MD
King MD is a small health care provider of psychiatric services in Virginia. (agreed to a two-year CAP)
$10,000 – Wise Psychiatry, PC
Wise Psychiatry is a small health care provider that provides psychiatric services in Colorado. (agreed to a one-year CAP)
Two More Right of Access Cases Announced in October 2020
$160,000 – Dignity Health
St. Joseph’s Hospital and Medical Center (“SJHMC”), part of Dignity Health, is a large, acute care hospital with several hospital-based clinics that provide a wide range of health, social, and support services. (agreed to a two-year CAP)
$100,000 – NY Spine
NY Spine is a private medical practice specializing in neurology and pain management with offices in New York, NY, and Miami Beach, FL. (agreed to a two-year CAP)
Key Elements of Right of Access
- Patient may choose the form and format of the records – paper or electronic and delivered by mail or email.
- Produce the records promptly, but take no longer than 30 days unless there is a good reason for more time. If so, notify the patient that another 30 days will be needed. NOTE: if State law is stricter than HIPAA, follow the State. California, for example, requires copies to be provided within 15 days, or access to view them during business hours within five days
- Fees, if any, should be minimal. NOTE: due to a recent lawsuit, a higher fee may be charged when a patient requests records be sent to a third party. (Ciox Health vs. Alex Azar)
- Don’t confuse the right of access (for the individual) with a required HIPAA authorization (a third party)
A lawsuit decided in January, 2020, Ciox Health vs. Alex Azar left the Right of Access rule intact, but slightly altered how the fees are calculated when a patient requests their information be sent to a third party, and also limits a patient’s right to get an electronic copy of records if the covered entity doesn’t have an electronic copy readily available in the exact format requested.
The HIPAA E-Tool® Prevents Investigations and Fines
There is no good reason to be tripped up by the Right of Access requirement of the HIPAA Privacy Rule. When you have the policies, forms and guidance in The HIPAA E-Tool® at your fingertips, answers are easy to find, and you will know what to do.