HIPAA Right of Access: Six Reasons That Practices Get Busted
The federal government has become laser-focused on ensuring individuals’ timely access to their health records. Learn about the common ways healthcare practices have triggered complaints that cost thousands of dollars, earned bad publicity, and brought ongoing government scrutiny.
The Health Insurance Portability and Accountability Act (HIPAA) is most widely known for its directives to keep patient information closely held and secure. However, a less-discussed aspect of HIPAA’s Privacy Rule centers around providers’ responsibility to provide patients access to their own health information: Right of Access standards.
According to the US Department of Health and Human Services (HHS), allowing individuals easy access to their personal health information puts them “in the driver’s seat” of their health, a vital component of a patient-centered health care system. The access allows patients to:
- monitor chronic conditions
- follow treatment plans
- find and correct errors
- track their progress
- directly contribute patient data to research.
HIPAA Right of Access provisions include detailed requirements for healthcare providers when a patient asks for health records. In such situations, what are your obligations? Do you have discretion regarding the release of information?
To help you understand, we outline six types of HIPAA Right of Access violations. Then we look at recent real-life enforcement actions by the Office of Civil Rights (OCR). Pay attention to these examples. You don’t want to find yourself the subject of a similar complaint.
Not Providing Access In a Timely Manner
A patient’s request for copies of their records, or a request that the record be provided to another practice, is an “access request.” HIPAA requires that healthcare practices respond to a patient’s access request within thirty days of receiving the request. If possible, respond sooner — and acknowledge receipt of their request.
What if the information is archived offsite or not readily accessible? If you cannot provide access within thirty calendar days, you may get up to a thirty-day extension to respond. But that extension isn’t automatic: you must first inform the patient in writing of the reasons for the delay. You must also confirm the date by which you’ll fulfill their request. HIPAA allows you only one extension per access request.
NY Spine Medicine
In July 2019, a NY Spine Medicine patient complained to OCR that the practice had repeatedly failed to fully respond to her medical records requests. While NY Spine provided some of the records, it did not provide diagnostic films that she had specifically requested. The OCR investigation determined that NY Spine failed to provide timely access to all of the requested medical records. This potentially violated HIPAA’s Right of Access requirements.
It’s important to note that NY Spine and OCR voluntarily settled the case. NY Spine agreed to pay a fine of $100,000 and enter into a corrective action plan that would subject them to two years of government monitoring. While the patient did eventually receive all of her requested records in October 2020, OCR Director Roger Severino commented:
No one should have to wait over a year to get copies of their medical records. HIPAA entitles patients to timely access to their records and we will continue our stepped-up enforcement of the right of access until covered entities get the message.
In July 2019, a patient complained to OCR that Housing Works, an HIV/AIDS-focused nonprofit, failed to provide him with a copy of his medical records as requested. In response, OCR provided technical assistance to Housing Works to support compliance with the HIPAA Right of Access requirements and closed the complaint.
A month later, however, OCR received another complaint that the patient had still not received his records and opened an investigation. OCR determined that the failure to provide the requested medical records was a potential violation. In a settlement, Housing Works agreed to pay $38,000 and adopt a corrective action plan with one year of government monitoring. Five months after his initial request, the patient finally received his records.
St. Joseph’s Hospital and Medical Center
In April 2018, a patient’s mother complained to OCR that she had been requesting her son’s medical records for the previous four months from St. Joseph’s Hospital and Medical Center. St. Joseph’s provided some but not all of the requested records, despite the repeated requests and passage of time.
The OCR investigation determined that St. Joseph’s actions were a potential violation of the HIPAA Right of Access standard. The hospital agreed to a settlement of $160,000 and a corrective action plan with two years of government monitoring. The patient’s mother eventually received all of the requested records in December 2020—more than 22 months after her initial request.
It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously. . .—Roger Severino, OCR Director
Failing to Provide Access to Personal Representatives
A patient’s representative has the same right of access as the patient themselves — as illustrated by the St. Joseph’s case. While a minor patient’s mother seems obvious, there are many designated healthcare representatives with rights under HIPAA.
An individual’s personal representative is typically someone who is allowed, under state law, to make healthcare decisions for that individual. The representative has the right to access the individual’s PHI themselves and can instruct the practice to send a copy of the PHI to another person or practice.
Beth Israel Lahey Health Behavioral Services
In April 2019, OCR received a complaint alleging that Beth Israel failed to respond to a February 2019 request from a personal representative seeking access to her father’s medical records. OCR initiated an investigation and determined that BILHBS’ failure to provide the requested medical records was a potential violation of the HIPAA Right of Access requirements.
As a result of OCR’s investigation, Beth Israel agreed to pay $70,000 to settle with OCR and adopt a corrective action plan with one year of monitoring. The personal representative received the requested records in October 2019.
Denying Access to the Patient
Under certain limited circumstances, a practice can deny an individual’s request for access to all or some of the requested records. Depending upon the reason for the denial, the patient may have the right to have the denial reviewed by another licensed healthcare professional. HIPAA’s regulations explain when a denial may be proper and under what circumstances a denial is reviewable.
You may not require an individual to provide a reason for requesting access. Moreover, the individual’s rationale for requesting the records — if shared with the practice — is not a permissible reason to deny access.
Practices are also responsible for responding to access requests where the records are maintained by one of the practice’s business associates. For instance, if your electronic health records vendor maintains your records, or your files are housed at an offsite records storage facility, you’re still obligated to deliver those records to the patient.
Furthermore, even if you have grounds to deny access to some PHI, you must give the patient access to any other PHI requested. The challenges posed by needing to segregate and review the patient’s PHI does not excuse your obligation to provide access to the portions of the record to which the patient is entitled.
Riverside Psychiatric Medical Group
A patient filed multiple complaints alleging that Riverside Psychiatric Medical Group failed to provide a copy of her medical records. Under HIPAA rules, psychotherapy notes do not have to be produced. Riverside argued that the practice wasn’t obligated to comply with the request because the records included psychotherapy notes. However, OCR determined that Riverside violated the HIPAA when it failed to provide a written explanation for denying the patient’s request for records. It also failed to hand over her medical records that weren’t psychotherapy notes.
The outcome: Riverside agreed to pay a $25,000 settlement. It also agreed to send the patient all of her records (except the psychotherapy notes) and adopt corrective actions with government oversight.
Failing to Send Records to a Third Party
A patient has a right to request that a practice to send their records directly to another person or entity (e.g., law firm, social service agency, other medical office).
In 2013, this “third-party directive” provision was expanded to require healthcare providers to send records to third parties in the format that the patient requests, if it’s readily producible. Previously, this provision only applied to information contained in an electronic health record.
In March 2019, OCR received a complaint alleging that Korunda Medical had repeatedly ignored a patient’s requests that their medical records be sent electronically to a third party. In response, OCR gave Korunda technical assistance to correct these matters and closed the complaint.
Despite OCR’s assistance, Korunda still failed to provide the requested records, resulting in another complaint. Korunda agreed to take corrective action and pay $85,000 to settle the potential violation. In addition to the monetary settlement, Korunda had to complete a corrective action plan with one year of monitoring.
The Korunda Health matter was one of the earliest enforcement actions under OCR’s Right of Access Initiative, and it sparked strong comments from Director Severino:
For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.
To clarify some of the requirements surrounding PHI-sharing among a patient’s providers, HHS has created a fact sheet titled Permitted Uses and Disclosures: Exchange for Health Care Operations.
As part of your compliance with the Right of Access and other HHS regulations, your Notice of Privacy Practices must address the specifics of how you may share patient information. Read more in our blog, “Why Your Notice of Privacy Practices Alone Doesn’t Satisfy Your HIPAA Obligations.”
Not Providing Access in the Requested Format
The Korunda Health settlement highlighted another Right of Access provision: Korunda had failed to provide the patient’s records in the requested electronic format.
The Privacy Rule requires you to give patients access to their records in the form and format requested, if it’s readily producible in that form and format. If that isn’t possible, then it must be produced in a readable hard copy form or another format that the parties agree upon.
You’re not required to purchase new software or equipment to accommodate every possible individual request. While you must have the capability to provide some electronic form of records that are maintained electronically, if the patient refuses to accept the type of electronic formats that you’re capable of producing, you can instead provide a readable hard copy record.
Charging Excessive Fees for Producing Copies of Patient Records
HIPAA allows practices to charge a reasonable, cost-based fee for producing copies of patient records. The law’s “patient rate” provision allows you to charge a fee of no more than $6.50, or a “reasonable, cost-based fee” that’s based on the labor, supplies, postage, and preparation of the information itself.
The patient must be informed of the fee in advance, and the fee may not include costs associated with:
- Searching for and retrieving the PHI
- Maintaining systems
- Recouping capital for data access
- Other expenses not listed above even if state law authorizes such costs
Finally, if you’re fulfilling a patient’s request by using your EHR system’s View, Download, or Transmit functions, you cannot charge a fee.
What About State Right of Access Laws?
When state laws give individuals greater rights of access to their records than the Privacy Rule, practices should follow state law and provide that broader access.
For example, HIPAA would not “preempt” (override) a state law that requires healthcare practices to give patients one free copy of their medical records, even though the federal law permits the provider to charge a fee. In such a situation, practices must comply with state law and provide a free copy. This is a great example of why even practices that aren’t HIPAA covered entities should maintain stringent privacy policies and procedures — they are likely still obligated to the same or heightened standards under their state laws!
However, when state laws undermine the Privacy Rule access provisions—such as one that prohibits certain laboratories from disclosing test reports directly to an individual—they are usually preempted by HIPAA and thus unenforceable.
The Costs of Non-Compliance with HIPAA Right of Access Provisions
HHS wants to send a clear message: the price tag of a settlement far outweighs the cost of compliance, both in dollars and effort. See our illustration, “HIPAA Compliance Preparedness,” for a quick comparison.
To date, these settlements have ranged from $3,500 to $160,000. OCR considers various factors in determining the amount of a settlement. These include the nature and extent of the potential HIPAA violation:
- the harm resulting from the potential HIPAA violation
- the practice’s history of compliance with the HIPAA Rules
- the practice’s financial condition, including its size and the impact of the COVID-19 public health emergency
- other matters as justice may require
Of course, the monetary settlement is only the beginning. Corrective action plans—which may include updated policies and procedures, increased training, and enhanced oversight—can be onerous for small practices. Inevitably, corrective action plans prove to be far more cumbersome than routine compliance efforts.
The bottom line: every practice should develop a formal HIPAA plan that addresses patients’ rights to access their health information. On an ongoing basis, monitor internal procedures and review (and enforce) your policies to ensure you reach and maintain compliance.
An experienced healthcare attorney licensed in your state can help you draft a comprehensive, customized plan that encompasses all aspects of HIPAA’s Privacy and Security Rules. Such planning can help avert the costly consequences of non-compliance.
To speak to one of Jackson LLP’s attorneys about drafting your compliance plan, book a free consultation.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.