Updated January 12, 2020
Patients have the right to see their own medical records. This simple concept is a HIPAA requirement and is easy to comply with. Yet many healthcare providers misunderstand it and create roadblocks or unnecessary delays. A better idea would be to understand the rule and make sure to comply – and avoid investigations and fines.
Right of Access Initiative – Fourteen Settlements so Far
The Office for Civil Rights (OCR), the agency that enforces HIPAA, has long considered the patient right of access a priority, and has settled a total of fourteen investigations under its Right of Access Initiative.
In September OCR announced resolution agreements with five healthcare providers that failed to provide access as HIPAA requires. The fines for the five settlements range from $3,500 to $70,000
A little over a year ago, in September, 2019 OCR announced its first enforcement action and settlement in its Right of Access Initiative. OCR settled a second right of access investigation in December, 2019 with Korunda Medical, LLC, which paid $85,000.
OCR announced the Initiative in 2019 as an enforcement priority to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. The five settlements announced on September 15, 2020 bring OCR’s total to seven completed enforcement actions under the Right of Access Initiative through September 2020.
OCR announced four more Right of Access investigation settlements in October and November: on October 7, October 9, November 6, and November 12, 2020, bringing the total number of cases to eleven as of November 12. With three more settlements announced between November and January, the total number of cases is fourteen.
But long before, OCR has cautioned that obstacles to patients receiving access were HIPAA violations. In 2016 for example, OCR warned that requiring someone to execute an “authorization” in order to obtain access to their own records may create an impermissible obstacle under HIPAA. Learn about the difference between authorization and access here.
Five Recent Cases Enforcing Right of Access
In addition to the fines, each of the covered entities agreed to adopt a corrective action plan (CAP) to improve HIPAA compliance.
Behavioral Health, Nonprofits and Small Providers are not Immune to Enforcement
Several things stand out about these five cases. Three of them provide behavioral health services and two of them are quite small. The smaller organizations paid smaller fines, but they were still investigated, and must implement “corrective actions” to improve compliance and be monitored by OCR going forward, like the other three. Another factor is that each of the investigations could have been resolved earlier without fines, but the patterns were the same – they did not take the investigation seriously or act quickly enough. Policies were absent, or weren’t being followed.
The message is clear, whether small or large, for profit or not for profit, all covered entities are expected to take HIPAA seriously, know the rules, and follow through.
$38,000 – Housing Works, Inc.
This non-profit organization provides healthcare, homeless services, job training and advocacy and legal aid support for people living with and affected by HIV/AIDS in New York city. (agreed to a one-year CAP)
$15,000 – All Inclusive Medical Services, Inc.
AIMS, based in Carmichael, California, is a multi-specialty family medicine clinic that provides a variety of services including internal medicine, and pain management and rehabilitation. (agreed to a two-year CAP)
$70,000 – Beth Israel Lahey Health Behavioral Services
Beth Israel Lahey Health Behavioral Services is the largest network of mental health and substance use disorder services in the greater Boston area and eastern Massachusetts. (agreed to a one-year CAP)
$3,500 – King MD
King MD is a small health care provider of psychiatric services in Virginia. (agreed to a two-year CAP)
$10,000 – Wise Psychiatry, PC
Wise Psychiatry is a small health care provider that provides psychiatric services in Colorado. (agreed to a one-year CAP)
Seven More Right of Access Cases Announced from October 2020 through January 2021
$160,000 – Dignity Health
St. Joseph’s Hospital and Medical Center (“SJHMC”), part of Dignity Health, is a large, acute care hospital with several hospital-based clinics that provide a wide range of health, social, and support services. (agreed to a two-year CAP)
$100,000 – NY Spine
NY Spine is a private medical practice specializing in neurology and pain management with offices in New York, NY, and Miami Beach, FL. (agreed to a two-year CAP)
$25,000 – Riverside Psychiatric Medical Group
Riverside Psychiatric Medical Group is a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders in Riverside, CA. (agreed to a two-year CAP)
$15,000 – Dr. Rajendra Bhayani
Dr. Rajendra Bhayani is a private practitioner specializing in otolaryngology in Regal Park, NY. (agreed to a two-year CAP)
$65,000 – University of Cincinnati Medical Center
The UCMC is an academic medical center providing healthcare services to the Greater Cincinnati community (agreed to a two-year CAP)
$36,000 – Peter Wrobel, M.D., P.C., dba Elite Primary Care
Elite Primary Care in Waycross GA is a small practice specializing in Family Medicine, Pediatrics, Vascular Surgery and General Medicine. Peter Wrobel is one of the three physicians in the practice. (agreed to a two-year CAP)
$200,000 – Banner Health
Banner Health, a non-profit organization, is one of the largest health care systems in the United States and is based in Phoenix. It operates 30 hospitals and numerous primary care, urgent care, and specialty care facilities. (agreed to a two-year CAP)
Key Elements of Right of Access
- Patient may choose the form and format of the records – paper or electronic and delivered by mail or email.
- Produce the records promptly, but take no longer than 30 days unless there is a good reason for more time. If so, notify the patient that another 30 days will be needed. NOTE: if State law is stricter than HIPAA, follow the State. California, for example, requires copies to be provided within 15 days, or access to view them during business hours within five days
- Fees, if any, should be minimal. NOTE: due to a recent lawsuit, a higher fee may be charged when a patient requests records be sent to a third party. (Ciox Health vs. Alex Azar)
- Don’t confuse the right of access (for the individual) with a required HIPAA authorization (a third party)
A lawsuit decided in January, 2020, Ciox Health vs. Alex Azar left the Right of Access rule intact, but slightly altered how the fees are calculated when a patient requests their information be sent to a third party, and also limits a patient’s right to get an electronic copy of records if the covered entity doesn’t have an electronic copy readily available in the exact format requested.
The HIPAA E-Tool® Prevents Investigations and Fines
There is no good reason to be tripped up by the Right of Access requirement of the HIPAA Privacy Rule. When you have the policies, forms and guidance in The HIPAA E-Tool® at your fingertips, answers are easy to find, and you will know what to do.