Health Information Compliance Alert

Published on Wed Apr 07, 2021 PDF

With cases continuing to stack up, it looks like the feds aren’t going to let up on HIPAA Right of Access enforcement any time soon. If you haven’t made patient record requests a prime concern at your practice, it’s time to put a plan into action.

Background: In 2019, the HHS Office for Civil Rights (OCR) announced its HIPAA Right of Access Initiative, promising to make patients’ rights to their records a priority. The agency ramped up its enforcement slowly, but it’s now in full force with the 18th settlement announcement on March 26. Since the program began, OCR’s investigations have run the gamut from small practices to large multi-state conglomerates with fines ranging from $3,500 to $200,000 — signifying to covered entities (CEs) that no organization is exempt from scrutiny and penalty.

Important: “All of these settlements started with a patient complaint filed with OCR against the covered entity,” says attorney Leigh A. Wilkinson with Ward and Smith P.A. in New Bern, North Carolina in online analysis.

Ensure Staff Know the Requirements

Providing individuals with the ability to access and obtain a copy of their health records may seem easy, but it’s more nuanced and complicated than you might think, experts suggest. “Regardless of the seeming simplicity of this access right, there are numerous requirements contained in the HIPAA regulations and OCR guidance that may ensnare unwary covered entities,” Wilkinson says.

Refresher: HIPAA requires CEs to provide their patients with their protected health information (PHI) within 30 days of a request. Though CEs can ask for an extension, it must be in writing, and they can only ask for an extension once per patient request.

Moreover, a nominal fee for the medical records is allowed, but it must be reasonable. And as part of the Right of Access provision, CEs must provide patients’ access to their records in a designated record set (DRS).

Tip: You always need to have a process for people to ask for copies of the information in their DRS, advises HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. And you must have a reasonable cost-based fee for furnishing the copies.

For instance, if a patient wants to get a copy of his records, you would give him a copy of whatever is in his DRS, Sheldon-Dean explains. And if the patient wants to amend his records, you would amend whatever records exist in the DRS.

Why? Value-based initiatives have put patients’ rights at the forefront of healthcare, and easy, affordable access to files falls under the umbrella of quality care. Plus, “providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being,” insists OCR guidance.

Health IT and regulatory reform have also made it easier for CEs to coordinate care, share data, and offer this information to their patients.

Review OCR’s March 2021 Right of Access Settlements

The differences in the latest cases exemplify OCR’s insistence that its enforcement on this issue has no bounds and aligns with its reasoning on past settlements. Take a look at the investigation breakdowns:

Arbour: In the 17th settlement, Arbour Hospital, which offers behavioral health services in Massachusetts, agreed to pay $65,000 for Right of Access standards’ violations as well as enter into a corrective action plan (CAP) and one year of OCR monitoring.

A patient filed a complaint in July 2019 after requesting the records in May of that year. After receiving a second complaint, OCR opened an investigation, discovering the violation. Arbour eventually forked over a copy of the records in November 2019 — five months after the initial request.

VPS: New Jersey-based Village Plastic Surgery (VPS) agreed to pay OCR $35,000 for failing to respond to an August 2019 patient’s request to records. The small practice also consented to a CAP and two years of OCR monitoring.

The feds began an investigation after the individual filed a complaint in September 2019. The small practice sent the patient the requested PHI after OCR started looking into the complaint.

“Fine amounts are determined by a range of factors, including the nature of the alleged violation, the harm caused by the HIPAA violation, the facility’s size, and the facility’s compliance history,” note attorney Matthew Brohm and Laura Dona with Arnall, Golden, Gregory LLP in online legal analysis. “Further, if corrective action plans are not followed, HHS may impose additional civil money penalties on the facility,” warn Brohm and Dona.

Update Compliance Tactics From Past Insight

Even though the 18 settlements cover a wide range of organizations, they all have a few things in common. In fact, if you are searching for clues on what OCR requires, just look at the settlement resolutions, suggests Wilkinson.

There’s another reason to review OCR’s guidance and past settlements’ specifics to enhance your policies. The feds released a notice of proposed rulemaking (NPRM) that includes more stringent provisions on Right of Access than the current requirements (see story, p. 1).

That’s why it’s essential that your staff understand the seriousness of these HIPAA provisions and OCR’s readiness to enforce them.

When you conduct your next HIPAA risk analysis, consider updating with policies based on OCR guidance in the case resolutions, Wilkinson indicates. Here are five questions to ask yourself based on past settlement details and HIPAA Right of Access requirements:

1. Do staff respond quickly and without judgment to patients’ request for their health records?
2. Do employees know what the HIPAA-allowed fees are and does your organization’s fee schedule align with what OCR considers “reasonable?”
3. Do practice personnel understand the rules on form and format, DSRs, verification, personal representatives, and more?
4. Are policies in place to address patient complaints and subsequent OCR scrutiny or audits?
5. Have you reviewed state laws and how they impact patients’ rights?

Bottom line: “OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner,” said Acting OCR Director Robinsue Frohboese in a release. “Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”

Resources: Review the particulars of the Arbour settlement at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/ agreements/arbour/index.html and check out the VPS case specifics at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/vps/index.html.