The Health Insurance Portability and Accountability Act (HIPAA) is not just about privacy. HIPAA also protects a patient’s right to access their own medical records.
The latest enforcement action was announced on December 15, 2023, by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR); Optum Medical Care of New Jersey settled the OCR investigation into multiple patient complaints about the right of access. Optum Medical Care is a multi-specialty physician group serving patients throughout New Jersey and Southern Connecticut.
HIPAA Enforcement Has Not Slowed
The right of access provision requires that patients have timely access to their health information for a reasonable cost.
Too often, healthcare providers do not respond adequately to patients’ requests for their records, so the Office for Civil Rights (OCR) has made the HIPAA right of access provision a top enforcement priority. This settlement is the 46th enforcement action in OCR’s Right of Access Initiative, which began four years ago, in 2019.
The settlement resolves six complaints about Optum filed with OCR concerning potential violations. OCR investigated and found that Optum failed to provide access within 30 calendar days. The investigation revealed that patients received their requested records between 84 and 231 days after submitting their requests.
“Health care providers must make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority,” said OCR Director Melanie Fontes Rainer. “Access to medical records is a fundamental right under HIPAA, and one for which OCR receives thousands of complaints each year. This is the law—providers must proactively respond to record requests and ensure timely access. Access to medical records empowers patients and their families to make decisions about their health care and improve their health overall. It is critical that providers follow the law.”
In addition to paying $160,000 to OCR, Optum Medical Care will implement a corrective action plan that requires workforce training, reporting records requests to OCR, and reviewing and revising its right of access policies and procedures as necessary to provide timely responses to requests. OCR will monitor Optum Medical Care for one year.
HIPAA Compliance is Proactive
Be sure you understand the HIPAA right of access requirements so that patients can obtain their records and you avoid an investigation. Update your policies and make sure you have clear procedures for staff to follow.
Covered entities should respond to access requests promptly, provide records in the patient’s requested format, and not charge excessive fees. Staff handling patient requests should receive training on how to comply with the requirements and communicate with patients during the process.
