Little mistakes can lead to big consequences: HIPAA Right of Access Initiative

In 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a new enforcement priority called the “HIPAA Right of Access Initiative.” This initiative focuses primarily on three aspects of a patient’s right to access to their records: prompt access to their medical records; amounts patients are charged for the medical records and being provided access in a readily producible format of the patient’s choice.

By way of background, with certain limited exceptions, the HIPAA Privacy Rules, at 45 CFR 164.524, provide that an individual has a right of access to inspect and obtain a copy of protected health information (PHI) about the individual in a designated record set, for as long as the PHI is maintained in the designated record set. The covered entity is allowed to require that individuals make a request for access in writing, provided that it informs individuals of such a requirement. In most instances, the covered entity must act on a request for access no later than 30 days after receipt of the request, by either accepting the request and providing the requested access or providing a written denial. If the covered entity is unable to act on the request within the 30-day period, the covered entity may have one extension of no more than 30 days, provided that the covered entity provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the records request.

The covered entity must provide the individual with access to the PHI in the form and format requested by the individual, whether in hard copy or an electronic copy, if it is readily producible in such form and format. If it is not, then the covered entity must provide the individual a readable hard copy form or such other hard copy or electronic form and format as agreed to by the covered entity and the individual. The covered entity is permitted to reach out to the individual to discuss the scope, format, and other aspects of the request for access as necessary to facilitate the timely provision of access. A covered entity may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI itself, but only if the individual agrees in advance to such a summary.

An individual's request for access may direct the covered entity to transmit the copy of PHI directly to another person designated by the individual and, if the signed, written request clearly identifies the designated person, the covered entity must provide the copy to the person designated by the individual.

A covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of (i) labor for copying the PHI requested by the individual, whether in paper or electronic form; (ii) supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media; (iii) postage, when the individual has requested the copy, or the summary or explanation, be mailed; and (iv) preparing an explanation or summary of the PHI, but only if agreed to by the individual.

Over the past 14 months, under the HIPAA Right of Access Initiative, OCR has taken twelve  enforcement actions, ten of which have been in 2020, with the covered entities ranging from large health systems to a solo practitioner to a nonprofit agency providing services to homeless persons living with HIV/AIDS. Each of these enforcement actions stemmed from a complaint by an individual and resulted in both the assessment of a monetary penalty and a resolution agreement and corrective action plan with OCR. The monetary penalties have been modest in comparison to the penalties assessed for OCR’s enforcement actions for unauthorized uses and disclosures of PHI, with the lowest being $3,500 and the highest being $160,000. However, the corrective action plans require that the covered entity take extensive steps to ensure compliance. Each corrective action plan requires, for example, that the covered entity conduct a review of the covered entity’s policies and procedures and developing additional policies and procedures as may be necessary. To ensure compliance, the covered entity is further required to provide copies of the policies and procedures to HHS for review and approval. It must also have a plan to implement and distribute the updated policies and procedures, including signed certifications from its workforce members that they have read and will comply with the policies and procedures. As part of the implementation plan, the covered entities must appropriately train workforce members with respect to the updated policies and procedures. The corrective action plans also require that the covered entity assess and revise the policies and procedures annually and report any instances of noncompliance to OCR. Annual reporting to HHS for one to three years, depending on the covered entity, is also required. Finally, the corrective action plans impose certain document retention obligations.

In several of the corrective action plans, OCR delineated the specific areas that the policies and procedures must address. These include delineating the right to and content of notice, timely action by the covered entity, the fees charged by the covered entity, how notice is provided and the time and manner of access, documentation to be maintained by the covered entity, training protocols for both workforce members and business associates, safeguarding designated record sets, a process to impose sanctions for workforce members who fail to comply with policies and procedures, and maintaining a process for reviewing business associate performance.

When the HIPAA Right of Access Initiative was announced, OCR promised to “vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.” OCR shows no sign of slowing its continued pursuit of enforcement actions under the HIPAA Right of Access Initiative. To that end, it would be prudent for covered entities to review their policies and procedures regarding patient access to records, with particular attention to whether there are processes to ensure that (i) all information requested by the individual is being provided; (ii) such information is being provided in a timely manner; (iii) notice is being provided for any denials of requests for information; and (iv) the fees charged are compliant. Further, if right of access training has not been recently conducted, workforce members should undergo training regarding the handling of and responding to requests for records. Finally, to the extent any portion of handling requests for access is handled by a business associate, covered entities should assess the business associate’s performance and take appropriate steps to address any identified deficiencies.

OCR has clearly signaled its intent to hold covered entities accountable to ensure that patients get timely access to their medical records—covered entities would be well-advised to take heed.