HIPAA enforcement is going strong. The Office for Civil Rights (OCR), which oversees HIPAA, has announced two right of access settlements with skilled nursing facilities in the past three days.
Phoenix Healthcare, an Oklahoma multi-facility organization, settled for $35,000, and Essex Residential Care, LLC in New Jersey, paid $100,000. These are the 47th and 48th enforcement actions in the OCR Right of Access Initiative.
HIPAA requires that a covered entity provide access to an individual’s medical records within 30 days of receiving a request. In its announcement, OCR emphasized that noncompliance with the right of access rule is widespread, and it continues to receive complaints from patients and their families about the failure to receive timely access to health records.
“Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative,” said OCR Director Melanie Fontes Rainer. “Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions. It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.”
Personal Representatives Have the Right to Receive Records
The patient or their personal representative may obtain the patient’s medical records. In both of these cases, a family member serving as a personal representative sought to obtain the records.
Phoenix Healthcare
In April 2019, a complaint was filed with OCR alleging that Phoenix Healthcare would not provide a daughter, who serves as a personal representative, with a copy of her mother’s medical records. After OCR intervened with technical assistance its requests for the records, Phoenix Healthcare finally sent them on January 30, 2020, 323 days after the request.
Essex Residential Care, LLC dba Hackensack Meridian Health
In May 2020, OCR received a complaint alleging that Hackensack Meridian Health failed to provide a personal representative with access to his mother’s medical records. The records were allegedly withheld even after Hackensack Meridian Health received sufficient documentation demonstrating that the son was serving as his mother’s personal representative. Due to OCR’s investigation, the requested records were sent to the personal representative in November 2020.
Learn the Right of Access Rule and Avoid Fines
- The patient may choose the form and format of the records – paper or electronic and delivered by mail or email.
- Produce the records promptly, but take no longer than 30 days unless there is a good reason for more time. If so, notify the patient that another 30 days will be needed. NOTE: If state law is stricter than HIPAA, follow the State. California, for example, requires copies to be provided within 15 days or access to view them during business hours within five days
- Fees, if any, should be minimal.
- Don’t confuse the right of access (for the individual) with the required HIPAA authorization (for a third party who is NOT a personal representative).