Last year, the Office of Civil Rights (“OCR”) announced a new initiative – the HIPAA Right of Access Initiative – as an enforcement priority in support of the right of individuals to timely access of their health records under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule. As of this October, OCR has settled 9 enforcement actions against healthcare organizations for failure to comply.
The Privacy Rule gives patients the right to both view their medical records and obtain a copy of their health data at a reasonable cost within thirty (30) days of submitting a request. Records are defined under the Rule as “designated record sets,” and include medical records, billing records, enrollment forms, claims adjudication documents, and any other document used to make decisions about an individual. Despite the existence of this rule, some healthcare organizations still make it difficult for patients requesting access to their records, leading the OCR to take action by making the “right of access” an enforcement priority.
Enforcement in Action
OCR has settled each of the nine enforcement actions against healthcare providers by assessing both monetary penalties and corrective action plans. In some cases, monetary penalties were imposed only after a second complaint was made. However, a recent OCR decision illustrates just how strict enforcement can be:
In July 2019, OCR received a complaint from an individual alleging that, just one month earlier, she had made multiple requests to her provider, NY Spine, for a copy of her medical records. NY Spine complied in part by providing some of the records, but it did not provide the diagnostic films that the individual specifically requested. OCR initiated an investigation and determined that NY Spine’s failure to provide timely access to all of the requested medical records was a potential violation of the right of access standard. As a result of OCR’s investigation, the complainant received all of the requested medical records in October 2020, and NY Spine was fined $100,000.
When determining a monetary penalty, OCR will take into account several factors, including the provider’s financial condition, past compliance, the nature and extent of the harm, and the nature and extent of the violation.
Providers Be Warned
One year and 9 enforcement actions later, it is clear that OCR will not tolerate noncompliance by providers. In fact, OCR Director Roger Severino, said in a recent statement, “it shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when healthcare providers don’t take their HIPAA obligations seriously.”
Will providers heed the warning? Perhaps in time; however, a 2019 study conducted by medRxiv identified widespread noncompliance with an individual’s right to access their own medical record. Specifically, more than half (51%) of the providers assessed were either not fully compliant with the HIPAA right of access or it took several attempts and communication to supervisors up the food chain before requests for a copy of the medical record were satisfied in a fully compliant manner.
We recommend that all HIPAA-covered entities take steps to ensure compliance with the Privacy Rule’s “right of access” by drafting policies that make clear what is included in a patient’s record. This specificity should help providers avoid inadvertent omissions when a patient request is being fulfilled. Business associates may also be required to provide access to and maintain records on behalf of covered entities pursuant to the terms of a business associate agreement.
If you have questions about the Privacy Rule, OCR’s “right to access” initiative, or what your organization can do to improve its compliance, please feel free to contact Marni Levitt at firstname.lastname@example.org or contact us via our website.
Marni Levitt is a Member of Outside GC's Boston-based team. She brings over twenty years of experience practicing health care and hospital law, with a focus on healthcare regulatory compliance, HIPAA and privacy-related matters, and general contracts review, including Business Associate Agreements. Marni can be reached at email@example.com or 508-561-4306.