OCR’s HIPAA Right of Access Enforcement Initiative Heats Up

Today, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced five new settlements under its “HIPAA Right of Access Initiative,” making right of access the most prominent area of HIPAA enforcement so far this year.  In 2019, OCR indicated that it would prioritize claims involving individuals’ right to receive timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.  Within months of announcing the initiative, it publicized the settlement of two right of access claims, representing 20% of all enforcement resolutions that year.  So far in 2020, five of the eight announced enforcement resolutions involve right of access issues with more than three months remaining in the year.

As I noted in my January 2020 post examining HIPAA enforcement trends, right of access enforcement actions would continue to be an area of focus beyond 2019.  As healthcare becomes much more consumer-focused, patients are requesting access to their records like never before.  And they have the right to do so.  The five new settlements share some of the characteristics of those in 2019 and provide a stark reminder of the importance of proper handling of medical records requests, an area where provider compliance historically has been lacking.

Here’s a summary of the five new settlements:

  • A New York City non-profit provider agreed to pay $38,000 and adopt a corrective action plan to settle claims of failing to timely provide a patient with a copy of his medical records.  The patient made the request in June 2019 and filed a complaint with OCR in July 2019.  OCR issued technical assistance to the provider, but one month later, the patient filed another complaint claiming that he still had not received the records.  This prompted the investigation and enforcement action.
  •  A multi-specialty family medicine clinic in California agreed to pay $15,000 and adopt a corrective action plan to settle claims based on an April 2018 complaint that the provider refused to allow a patient to inspect and receive a copy of her records.
  • A large network of mental health and substance use disorder providers in Massachusetts agreed to pay $70,000 and adopt a corrective action plan to settle claims based on a February 2019 complaint from a court-appointed representative seeking access to her father’s records on behalf of his estate.
  • A small psychiatric care provider in Virginia agreed to pay $3,500 and adopt a corrective action plan to settle a claim based on multiple complaints (October 2018 and February 2019) that the provider failed to respond to a patient’s August 2018 request for access to her records.  As with the first settlement, OCR issued technical assistance to the provider, which the provider ignored, prompting a second complaint from the patient and an OCR investigation and resulting enforcement action.  
  • A small psychiatric care provider in Colorado agreed to pay $10,000 and adopt a corrective action plan to settle claims based on a February 2018 complaint that the provider failed to grant a mother access to her minor son’s medical records.  As with two of the other five settlements, OCR first issued technical assistance to the provider, which the provider ignored, causing the mother to file a second complaint in October 2018.  OCR initiated an investigation and then an enforcement action. 

As we saw with the two announced right of access settlements in 2019, OCR is addressing these claims with lightning fast speed (in comparison to the four- or five-year timeline that HIPAA enforcement actions typically follow).  OCR will continue to evaluate all right of access complaints from patients and representatives and will expeditiously pursue those with merit regardless of the size or intent of the provider.

Finally, as we saw in several of the enforcement actions (one in 2019 and three so far in 2020), OCR often will first offer technical assistance to a provider named in a right of access complaint.  Such technical assistance gives providers an opportunity to correct compliance issues without penalties.  Providers must take seriously and act immediately on OCR’s technical assistance.  Failure to do so will result in an investigation and, in all likelihood, an enforcement action. 

Key right of access take-aways:

  • Timely respond to all patient and patient representative requests to access or for copies of records.  Now is a good time to review internal policies on handling requests for records and to re-train staff.
  • Take seriously all communications received from OCR.  If OCR sends a technical assistance letter, it will lay out the claim of the complainant and include the following statement “Pursuant to its authority under 45 C.F.R. §§ 160.304(a) and (b), OCR has determined to resolve this matter informally through the provision of technical assistance. . .”.  The letter also will include compliance information.  Take action on this letter and document the action taken, even if you conclude that no additional action is necessary.
  • Be sure that you are not overcharging for copies of medical records.  A common right of access issue relates to fees, as detailed in one of the 2019 enforcement settlements.  There is a common misconception that it is always appropriate to charge the per page maximum fee set by state law for copies.  That is incorrect.  When the patient is requesting copies, state law takes a backseat to the rules under HIPAA.  Those rules limit the fees that a provider can charge a patient for copies, regardless of state law.  Review your policy for compliance and/or use the sample policy below as a reference.  

Sample Policy for Fees Applicable to Medical Records Requests

For records requested by a patient or the patient’s representative, only a reasonable cost-based-fee may be imposed.  This reasonable cost-based-fee may include only the cost of:

  1. labor for copying the medical records requested by the individual, whether in paper or electronic form;
  1. supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media;
  1. postage, when the individual requests that the copy be mailed; and
  1. preparation of an explanation or summary of the medical records, if agreed to by the individual. 

The fee may not include costs associated with reviewing the request for access, verifying the request, searching for and retrieving the medical records, storage costs, or other costs not specifically listed in (1)-(4), above. 

In no event can the fee exceed [insert any applicable state law on per page cost limitations; for example, in CT, there is a .65 per page limit] per page.  Electronic copies of the medical record, when requested, shall be provided in a readable format and the fee for providing an electronic copy shall not exceed the actual labor cost associated with responding to the request.  For electronic copies, instead of calculating a cost-based fee, a flat fee of $6.50 may be charged for the electronic copy.

When a third party requests copies of medical records based on a patient’s properly executed HIPAA authorization or when a patient directs that the medical records be sent to a third party, the reasonable cost-based fee limitations do not apply, and Provider may charge [insert state limitation] per page, pursuant to state law, [insert state law citation; CT is Conn. Gen. Stat. § 20-7c]

No charge is permitted for medical records sought for Social Security claims or appeals when the request is accompanied by documentation of the claim.  Proper authorizations must accompany all requests for copies of records.