Despite the pandemic, Health Insurance Portability and Accountability Act (HIPAA) enforcement was hot in 2020. There were nearly twice as many enforcement action resolutions last year than in each of the previous three years. The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA, announced a total of 19 resolutions in 2020.
The 2020 resolutions offer different lessons from previous enforcement years, as the most common issue for enforcement in 2020 is relatively new: the Right of Access under the HIPAA Privacy Rule. Most healthcare providers struggle with compliance in this area, leaving providers much more vulnerable to enforcement actions based on individual patient complaints about access to records. We will explore the Right of Access in detail and how to avoid a Right of Access enforcement action.
While Right of Access claims stole the enforcement show in 2020, there were a few other notable lessons from last year. They include the long-time top enforcement issue of failing to conduct a HIPAA Security risk analysis, which remains the most expensive issue in enforcement, and the winner of the “Not the Brightest Bulb in the Box” award, which goes to a provider who misused the breach reporting function and paid handsomely for it.
Before diving in, below is a comparison of the 2020 and 2019 enforcement years:
2020 | 2019 | |
Announced Resolutions | 19 | 10 |
Amount collected | $13,554,900 | $12,274,000 |
CMPs[1] v. Settlements[2] | All settlements | 2 CMPs; 8 settlements |
Most common issue | Right of Access (11) | Risk Analysis (6) |
Right of Access Settlement | $537,500 (11) | $170,000 (2) |
Risk Analysis Settlement/Penalty | $10,977,400 (6) | $8,365,500 (6) |
Right of Access
Without question, the star of the enforcement show in 2020 was the Right of Access. Under the HIPAA Privacy Rule, a patient has the right to access his or her own records.[3] Over the past few years, emphasis on this provision has grown as healthcare has become more consumer-focused and patients are requesting access to their records far more frequently. Further, it has become an area of interest for OCR because it believes that better access to records will help with coordination of care and reduce healthcare costs.[4]
In 2019, OCR indicated that it would prioritize claims involving individuals’ right to receive timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. Within months of announcing the initiative, OCR publicized the settlement of two right of access claims, representing 20% of all enforcement resolutions that year. With 11 of the 19 settlements in 2020 related to the Right of Access, the trend not only continued but significantly intensified.[5]
These 11 settlements share common themes and provide important insights on how to avoid a Right of Access claim. Below is a summary of the 11 matters and then we will explore the common themes.
Provider Location/Type | Settlement Amount | Facts |
NYC Non-profit Provider | $38,000 | Failed to provide timely access; OCR provided technical assistance; second patient complaint filed |
CA Family Medicine Clinic | $15,000 | Refused access to records |
MA Mental Health Network of Providers | $70,000 | Court-appointed representative seeking access to deceased father’s records |
VA Psychiatric Provider | $3,500 | Failed to respond to request; OCR provided technical assistance; second patient complaint filed |
CO Psychiatric Provider | $10,000 | Denied mother of a minor child access to records; OCR provided technical assistance; second patient complaint filed |
AZ Hospital and Medical Center | $160,000 | Failed to give mother of minor child all records |
NY/FL Neurology and Pain Management Provider | $100,000 | Failed to provide diagnostic films; ignored multiple mailings (including certified mail) and telephone messages from OCR over several months |
CA Psychiatric Provider | $25,000 | Refused access to all records when only small subset was subject to denial (psychotherapy notes); OCR provided technical assistance; second patient complaint filed |
NY ENT Provider | $15,000 | Failed to provide timely access and overcharged for copies; OCR provided technical assistance; second patient complaint filed |
OH Large University Medical Center | $65,000 | Failed to respond to request to send records to patient’s lawyer |
GA Primary Care Provider | $36,000 | Failed to provide access to records; OCR provided technical assistance; second patient complaint filed |
Common Right of Access Themes
First, an individual’s complaint regarding access to records triggered all the Right of Access enforcement actions. And in each matter, the provider ended up turning over the requested records.
Second, in six of the 11 matters, OCR first issued a technical assistance letter to the provider. A technical assistance letter lays out the patient’s claim and includes a statement like the following: “Pursuant to its authority under 45 C.F.R. §§ 160.304(a) and (b), OCR has determined to resolve this matter informally through the provision of technical assistance. . .”. The letter then provides information on how to comply with HIPAA and, most times, administratively closes the matter. These letters are gifts.
In each of the six matters where OCR issued a technical assistance letter, the patient filed a second complaint. The provider’s continued failure prompted an investigation that led to an enforcement action. In another matter that did not involve a technical assistance letter, the provider ignored multiple written and telephonic communications from OCR resulting in a $100,000 Right of Access settlement, the second highest so far.
Third, smaller providers are just as likely to be subject to an enforcement action as large providers. Seven of the 11 Right of Access matters involved smaller providers, as opposed to major hospitals or health systems. Notably, enforcement actions against smaller providers typically occurred only after OCR first sent a technical assistance letter; six of the seven smaller providers received technical assistance letters before OCR initiated an investigation.
Finally, OCR’s investigation of a Right of Access issue can lead to compliance inquiries in other areas including the HIPAA Security Rule. Anything OCR uncovers in its investigation is fair game for an enforcement action. Therefore, avoiding findings of non-compliance with the Right of Access requirements, which typically arise from a single individual’s complaint, will help to avoid inquiries into compliance in other areas that could lead to more involved and expensive enforcement.
Best Practices to Avoid Right of Access Claims
- Timely respond to all patient records requests and communicate with patients when there is a delay. Silence from a provider is one of the best ways to ensure that a patient will file a complaint. If for some reason, you cannot respond timely (within 30 days under HIPAA[6], although state law may require a quicker response), communicate with the patient. Unless a state law applies requiring a more expeditious response, HIPAA also allows for a one-time 30-day extension if you notify the patient within the initial 30-day period and explain why additional time is needed.[7] Also, if you deny access for a permissible reason under HIPAA or state law, you must provide a written explanation and must turn over all records not subject to the denial.[8]
- Take seriously all communications received from OCR. If OCR sends a technical assistance letter, pay attention to it. Act on the letter. Perform an investigation and document the action taken, even if you conclude that no additional action is necessary. If OCR leaves a message, return the call. Ensure that those receiving mail and phone messages understand the importance of communications from OCR.
- Treat personal representatives of patients appropriately. A few of the Right of Access matters in 2020 involved a personal representative (e.g., a parent of a minor child or a court-appointed representative) requesting access to a patient’s records. Under HIPAA, a lawful healthcare decision maker for the patient must be treated as the patient with respect to access to records, subject to some limited exceptions.[9]
- Be sure that you are not overcharging for copies of medical records. There is a common misconception that it is always appropriate to charge the per page maximum fee set by state law for copies. That is incorrect. When the patient requests copies, state law takes a backseat to the rules under HIPAA. Those rules limit the fees that a provider can charge a patient for copies, regardless of state law, to a reasonable, cost-based fee.[10]
- Avoid a defensive reaction to requests to send records to legal counsel. When there is concern that a records request could have legal implications, providers should have an internal process for reviewing the records to identify any potential issues. And when issues are identified, notify the insurance carrier. This review process, however, cannot interfere with a patient’s right to timely access to his or her records.
- Review all policies and procedures related to the Right of Access requirements and ensure that staff are trained to address requests appropriately. Just as delays without communicating with the patient will lead to complaints, inappropriate responses to patient requests similarly will lead to complaints. Now is the perfect time to dust off your Right of Access policies, make changes where necessary and retrain on those policies.
Other Important Lessons and Best Practices
Risk Analysis. The risk analysis lessons from 2020 are no different than those from previous years. Failing to comply with the HIPAA Security Rule’s risk analysis requirement will result in costly settlements or penalties. In 2020 alone, there were over $10 million in settlements for alleged risk analysis failures. Most of these issues surfaced after a breach triggered by an IT incident (e.g., hacking incident, ransomware, phishing etc.) that the provider self-reported under breach reporting requirements. These IT incidents are happening with terrifying frequency and healthcare providers are a favorite target.
- Best Practice: Perform a risk analysis. Plain and simple. While doing so requires cooperation across the organization and significant resource dedication, it is not an optional activity. Further, the better the risk analysis and risk management measures after the analysis, the far less vulnerable a provider will be to an IT incident.
Breach Reporting (Not the Brightest Bulb in the Box Award). A small Utah gastroenterologist filed a “breach” report with OCR in 2013 claiming that its electronic health records (EHR) vendor blocked the provider’s access to the EHR because of a $50,000 fee dispute. OCR investigated the unique breach report and found many HIPAA violations against the provider, including the provider’s lack of a business associate agreement with the EHR vendor. The provider agreed to pay $100,000 to settle – twice the amount of the provider’s contract dispute with its vendor.
Best Practices for Breach Reporting
- Do not invite OCR’s attention with a breach report. Use the breach report for its intended purpose only.
- The importance of a well-crafted breach report cannot be overstated. The report should provide detailed information about the incident and explain all the corrective measures in place to ensure that a similar incident does not occur again. Tips on drafting an effective breach report can be found here.[11]
Conclusion
Like my predictions for the 2020 enforcement year,[12] I expect a continued focus on the Right of Access. In fact, I suspect that many more providers will be receiving technical assistance letters on that topic in 2021 than ever before. We also will continue to see higher settlement and penalty amounts for providers that ignore OCR communications. And because cybersecurity issues are not going away, HIPAA Security Rule compliance will also remain a top focus.
Following the best practice tips above will help to significantly decrease the risk of an enforcement action. And remember, don’t be the winner of the “Not the Brightest Bulb in the Box” award!
[1] OCR has the authority to institute a civil money penalty (CMP) for noncompliance. It uses this authority when the parties cannot reach a settlement. There are guidelines and limitation on CMPs set forth in 45 CFR § 160.400 et seq.
[2] All enforcement action settlements involve a corrective action plan, which details required corrective measures that must be implemented over a specific period of time. In more significant matters, the corrective action plan could involve monitoring by OCR for years.
[3] 45 CFR § 164.524.
[4] This concept is part of the broad theme of newly proposed changes to the HIPAA Privacy Rule. See 86 FR 6446 (Jan. 21, 2021).
[5] Notably, the first announced enforcement resolution in 2021 involved Right of Access issues. https://dmclawllc.com/ocr-kicks-off-its-2021-hipaa-enforcement-year-with-another-right-of-access-settlement/
[6] 45 CFR §164.524(b)(2)(i).
[7] 45 CFR § 164.524(b)(2)(ii). Note that OCR has proposed changes to both the initial 30-day window and the 30-day extension in the new proposed changes to the HIPAA Privacy Rule to reduce the response window to 15 days. Importantly, the proposal may change or be removed and, even if it does not change, it is likely to be at least a year or two before any proposed changes are finalized.
[8] 45 CFR § 164.524(d).
[9] 45 CFR § 164.502(g).
[10] For more on the permissible components of a reasonable cost-based fees and a sample policy visit: https://dmclawllc.com/ocrs-hipaa-right-of-access-enforcement-initiative-heats-up/
[11] https://dmclawllc.com/drafting-an-effective-hipaa-breach-report/
[12] https://dmclawllc.com/hipaa-compliance-lessons-from-2019-enforcement-trends/