On September 9, 2019 the Office for Civil Rights (OCR), the agency that oversees HIPAA compliance, announced its first enforcement action and settlement in its Right of Access Initiative. Bayfront Health St. Petersburg (Bayfront) has paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the right of access provision of HIPAA. Expect more investigations and settlements since this is an OCR priority.
On August 13, 2019, a study was published that peeled back the curtain on how providers are failing to provide the HIPAA right of access to individuals requesting their medical records. We wrote about the study and its blueprint for action on August 20.
In the Bayfront case, OCR started the investigation at the request of a mother who had tried and failed to obtain information about the fetal heart rate of her unborn child. Because of the investigation, she finally received the records more than nine months after her initial request, although HIPAA right of access rules require that records be provided within 30 days. This right to patient records extends to parents who wish to obtain medical information about their minor children, and in this case, a mother who sought prenatal health records.
HIPAA Right of Access Should be Easy
There are three common problems with how providers respond to requests for records: they are not sending the records via email when requested, they take too long, and they charge too much.
Providers are supposed to provide the records in the form and format requested by the patient – paper or electronic and delivered by mail or email. The records should be produced promptly, but no longer than 30 days, unless the provider has good reason to require more time. If so, they need to notify the patient and may take another 30 days. Fees, if any, should be minimal. NOTE: If your State law is stricter, follow that. California, for example, requires copies to be provided within 15 days, or access to view them during business hours within five days.
Another issue plagues health care providers – they often confuse HIPAA right of access with authorization. We wrote about the difference in May 2019. Too many providers think they need patients to sign a release or an authorization, but they don’t. A patient’s request is simple and they don’t need to use a special form or special words.
HIPAA Right of Access is an OCR Priority
OCR Director Roger Severino warns that the Bayfront case is one example, and OCR will continue to investigate similar claims.
“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino. “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”
From HHS press release September 9, 2016
HIPAA Right of Access is Explained in The HIPAA E-Tool®
Education about the right of access is easy to find in The HIPAA E-Tool®. It contains the policy, explains the exceptions, provides forms for responses, and helps determine a reasonable cost-based fee. Answers are at your fingertips, with legal citations and updates when the law changes. And we are a phone call or email away to guide you.