The Price of Noncompliance
Know the HIPAA Right of Access rules to stay compliant and avoid costly penalties.
When HIPAA was enacted in 1996, new standards for the protection of sensitive patient health information were set. Under the HIPAA Privacy Rule, covered entities, such as health plans and healthcare providers, are required to follow strict rules pertaining to the use and disclosure of individuals’ protected health information (PHI) — including the right of patients to see and receive copies of their own health information at any time.
In September 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its Right of Access Initiative under the HIPAA Privacy Rule and immediately began enforcing patients’ rights to receive copies of their medical records promptly and without being overcharged. On Oct. 9, 2020, OCR announced that it had settled its ninth enforcement action in its HIPAA Right of Access Initiative.
Comply With the Law
According to HHS, the Privacy Rule generally requires HIPAA-covered entities to provide individuals, upon request, with access to their PHI in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity or by a business associate on behalf of a covered entity regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; and where the PHI originated.
Don’t Play the Waiting Game
On July 22, 2019, OCR received a complaint against NY Spine Medicine (NYSM) from a patient who alleged that she did not receive the copy of her medical records that she requested numerous times, beginning June 10, 2019. NYSM, a private practice specializing in neurology and pain management, provided some of the records but did not provide the diagnostic films that the individual specifically requested. OCR investigated the claim and determined that NYSM’s failure to provide timely access to all of the requested medical records was a potential violation of the right of access standard. As a result, the complainant received all of the requested medical records in October 2020.
“No one should have to wait over a year to get copies of their medical records. HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message,” said Roger Severino, OCR director, in an HHS press release.
Let This Settle In
NYSM was ordered to pay a fine of $100,000 to settle the matter. In addition, NYSM was directed to implement a corrective action plan (CAP) that includes two years of monitoring and an agreement to:
- Develop, maintain, and revise its written policies and procedures to comply with 45 CFR § 160 and 164 (the Privacy Rule) and submit them to HHS for review and approval;
- Designate a privacy official responsible for the development and implementation of those policies and procedures;
- Designate a contact person or office responsible for receiving complaints;
- Distribute all policies and procedures approved by HHS to its workforce and relevant business associates;
- Devise training materials which must be approved by HHS and then provide training for its workforce; and
- Report to HHS any workforce member or business associate who fails to comply with the revised policies and procedures set forth.
Avoid Making the Same Mistake
The message is clear: OCR is serious about investigating entities that don’t comply with HIPAA right of access requirements. As a covered entity, it is important that you review your HIPAA policies and procedures to ensure you are following the letter of the law, including providing patients with their medical records in a timely manner and at a reasonable cost. Failing to do so may result in costly penalties.
Tip: Make sure you are aware of your specific state laws. They may impose additional or more strict compliance obligations that are not preempted by HIPAA, granting even greater rights to patients.
HHS, Oct. 9, 2020, “OCR Settles Ninth Investigation in HIPAA Right of Access Initiative,”