Right of Access is Top Enforcement Focus in 2020

HIPAA Right of Access enforcement is climbing and fast.  Last week, the Office for Civil Rights (OCR) announced its 9th Right of Access resolution this year and its 11th such resolution since the Right of Access enforcement initiative began in 2019.  For the first time in many years, HIPAA Security Rule claims are sharing the enforcement spotlight.  While Security Rule resolutions remain the most expensive, Right of Access enforcement action resolutions are more numerous than any other in 2020.  

As I have pointed out in previous posts, enforcement on Right of Access claims continues to be swift and affects providers of all sizes.  And while enforcement in this area is not as expensive as HIPAA Security Rule enforcement, the total of the settlements so far this year is approaching half a million dollars. 

The most recent enforcement resolution involves an ENT provider in New York.  The provider agreed to pay $15,000 and to undertake a corrective action plan to settle claims that he failed to provide a patient timely access to her records at a reasonable cost and failed to cooperate with OCR’s investigation.  The patient filed a complaint with OCR in September 2018 after many requests for records.  OCR sent the provider a technical assistance letter (described below in key take-aways) detailing Right of Access requirements and closed the complaint.  A year later, the patient complained again.  OCR began an investigation and sent two data requests to the provider, which the provider ignored.  Ultimately, the patient received her records.

One week earlier, OCR announced the 8th Right of Access enforcement resolution of 2020.  A California psychiatric provider agreed to pay $25,000 and to undertake a corrective action plan to settle claims that it withheld records from a patient.  The patient complained to OCR in March 2019 that she could not get access to her records despite numerous requests.  Like the previous resolution, OCR sent a technical assistance letter to the provider shortly after receiving the complaint.  Just one month later, the patient complained again, and OCR initiated an investigation. 

The provider claimed that the patient sought “psychotherapy notes,” which is a very specific type of record under HIPAA that need not be disclosed to the patient.  While the resolution does not provide many details, it appears that the provider defined “psychotherapy notes” too broadly,  withheld parts of the patient’s record that did not constitute “psychotherapy notes” and failed to provide the patient with a written explanation for its denial of access. 

There are important similarities between all the Right of Access resolutions.  First, all arose from patient complaints.  Second, about half involved technical assistance letters from OCR and subsequent patient complaints.  Third, OCR is responding with lightning-fast speed to patient complaints.

Below are key take-aways based on all eleven of OCR’s Right of Access enforcement resolutions from 2019 and 2020:   

  • Timely respond to all patient and patient representative requests to access or for copies of records.  If for some reason, you cannot respond timely to a patient’s request, reach out to and explain why.  You can take advantage of a one-time 30-day extension under HIPAA if you notify the patient within the initial 30 days.  Radio silence from you is one of the best ways to ensure that the patient will file a complaint.  Also, if you deny access, you must provide a written explanation under 45 CFR § 164.524. 
  • Take seriously all communications received from OCR.  If OCR sends a technical assistance letter, it will lay out the patient’s claim and include the following statement “Pursuant to its authority under 45 C.F.R. §§ 160.304(a) and (b), OCR has determined to resolve this matter informally through the provision of technical assistance. . .”.  The letter also will include compliance information.  Act on this letter and document the action taken, even if you conclude that no additional action is necessary.
  • Be sure that you are not overcharging for copies of medical records.  There is a common misconception that it is always appropriate to charge the per page maximum fee set by state law for copies.  That is incorrect.  When the patient is requesting copies, state law takes a backseat to the rules under HIPAA.  Those rules limit the fees that a provider can charge a patient for copies, regardless of state law.  I offer a sample policy on fees for records here.
  • Review all your policies and procedures related to Right of Access requirements under 45 CFR §164.524 and ensure that your staff are trained to take all patient requests for records seriously.  Poor response to patient requests will lead to complaint to OCR.   

Previous blog articles detail the other Right of Access cases in September and October 2020.  For those of you keeping score, to date this year, OCR has announced 17 enforcement action settlements and the total amount of those settlements is $13,453,900 ($436,500 of which arise out of Right of Access settlements).