And the HIPAA Right of Access Enforcement Saga Continues…

The Department of Health and Human Services’ Office for Civil Rights (OCR) continues with vigorous enforcement of HIPAA’s Right of Access rules in 2021.  In the first three months of the year, OCR announced five Right of Access settlements.  The story is nearly identical in each – a patient requests records and a provider fails to timely provide access.  Compliance with the Right of Access rules is relatively simple and one of the best ways to avoid unwanted attention from OCR. 

Here’s a summary of enforcement action resolutions so far in 2021.  Of the six announced resolutions so far this year, five have been Right of Access matters.  Notably, the total amount of the Right of Access settlements so far is close to last year’s total ($537,000) and it’s only a quarter of the way through the year.

Provider Location/TypeSettlement AmountFacts
AZ – Non-profit Health System$200,000Two complaints against provider affiliated covered entities for failing to timely provide requested records; complaints came AFTER records provided. (Click link for blog post)
NV – Non-profit Health System$75,000Failed to timely respond to patient’s request to send electronic copies of records, including billing records, to a third party. 
CA – Medical Center$70,000Failed to timely respond to patient’s request to send electronic copies of records to a third party.  OCR sent a technical assistance letter.  Patient filed second complaint.
MA – Behavioral Health Provider$65,000Failed to timely respond to patient’s request to obtain access to records.  OCR sent a technical assistance letter.  Patient filed second complaint
NJ – Plastic Surgery Provider$30,000Failed to timely respond to patient’s request to obtain access to records.

Below are best practice tips that I have provided in the past, but they are worth repeating since we are seeing the same issues over and over again:

 Best Practices to Avoid Right of Access Claims

  • Timely respond to all patient records requests and communicate with patients when there is a delay.  Silence from a provider is one of the best ways to ensure that a patient will file a complaint.  If for some reason, you cannot respond timely (within 30 days under HIPAA, although state law may require a quicker response), communicate with the patient.  Unless a state law applies requiring a more expeditious response, HIPAA also allows for a one-time 30-day extension if you notify the patient within the initial 30-day period and explain why additional time is needed.  Also, if you deny access for a permissible reason under HIPAA or state law, you must provide a written explanation and must turn over all records not subject to the denial.  
  • Take seriously all communications received from OCR.  If OCR sends a technical assistance letter, pay attention to it.  Act on the letter.  Perform an investigation and document the action taken, even if you conclude that no additional action is necessary.  If OCR leaves a message, return the call.  Ensure that those receiving mail and phone messages understand the importance of communications from OCR.
  • Treat personal representatives of patients appropriately.  A few of the Right of Access matters in 2020 involved a personal representative (e.g., a parent of a minor child or a court-appointed representative) requesting access to a patient’s records.  Under HIPAA, a lawful healthcare decision maker for the patient must be treated as the patient with respect to access to records, subject to some limited exceptions.
  • Be sure that you are not overcharging for copies of medical records.  There is a common misconception that it is always appropriate to charge the per page maximum fee set by state law for copies.  That is incorrect.  When the patient requests copies, state law takes a backseat to the rules under HIPAA.  Those rules limit the fees that a provider can charge a patient for copies, regardless of state law, to a reasonable, cost-based fee.
  • Avoid a defensive reaction to requests to send records to legal counsel.  When there is concern that a records request could have legal implications, providers should have an internal process for reviewing the records to identify any potential issues.  And when issues are identified, notify the insurance carrier.  This review process, however, cannot interfere with a patient’s right to timely access to his or her records.
  • Review all policies and procedures related to the Right of Access requirements and ensure that staff are trained to address requests appropriately.  Just as delays without communicating with the patient will lead to complaints, inappropriate responses to patient requests similarly will lead to complaints.  Now is the perfect time to dust off your Right of Access policies, make changes where necessary and retrain on those policies.