Advanced Search

Medicare Compliance & Reimbursement

HIPAA:

Keep Your Right of Access Policies on Track

Published on Fri Jan 22, 2021

Expect some changes under a new administration.

Recent updates suggest patients’ rights to their health data will likely continue to be a primary policy focus in 2021. And even though experts anticipate changes under a new administration, it’s essential to make compliance a priority.

Background: In 2019, the HHS Office for Civil Rights (OCR) announced its HIPAA Right of Access Initiative and followed that announcement with its first case in September of that year. The OCR has continued to settle cases ever since with its 14th HIPAA Right of Access settlement on Jan. 12.

The 14 cases ran the gamut of healthcare from small practices to large healthcare conglomerates. However, there were some similarities — all the covered entities (CEs) agreed to corrective action plans (CAPs) and suffered penalties, ranging from $3,500 to $200,000.

Another defining characteristic among all the settlements was how quickly the CEs responded to the patients’ requests. “A key takeaway is that covered entities must respond to an individual’s access request no later than 30 days after receipt of the request. All of the settlements to date involved, at least in part, a failure to respond within that required timeframe,” indicate attorneys Jennifer J. Hennessy, Chloe B. Talbert, and Jennifer L. Urban with law firm Foley & Lardner LLP in online legal analysis.

Because OCR’s Right of Access enforcement encompassed such a wide range of entities this past year, the actions “leave little doubt as to the breadth and applicability of the rules,” says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “It should be clear by now that providing patient access is not going to go away, and that not following the rules can be expensive, with penalties tailored to cause pain for a variety of sizes and types of institutions,” he warns.

“The rules, the changes, and the expected changes under the CURES Act all need to be fully absorbed by staff involved with Release of Information — and any HIPAA business associates involved need to likewise be up-to-date,” Sheldon-Dean reminds. “The old ways just don’t apply anymore, and if you lag in compliance you can expect a discussion with OCR. This will be an effort that will take some time, training, and adjustment for many institutions, but has to take place now,” he explains.

As you update your procedures and policies, consider these HIPAA Right of Access tips:

  • Train your workforce on individuals’ rights to access their health data, and what this means to your organization.
  • Review the 14 cases’ CAPs for advice on what to avoid and what the OCR expects on Right of Access compliance.
  • Don’t ignore patients’ requests for their records and keep on top of due dates and time requirements.
  • Address any third-party HIPAA concerns and hammer out a comprehensive business associate agreement (BAA).
  • Keep a written record of your organization’s policy updates, so you have recourse if problems pop up.

“I think we can expect a slowdown in action from HHS during the transition of the administration, but these issues have been around a lot longer than any administration and will continue to be a focal point,” says Sheldon-Dean.

Resources: Review OCR guidance on Right of Access at www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html and find links for the 14 cases at www.hhs.gov/ocr/newsroom/index.html.

Other Articles in this issue of

Medicare Compliance & Reimbursement

View All