Show Me the Records: OCR Holds Providers Accountable Under HIPAA Right of Access Initiative
January 27, 2021
By: Stacy Walton Long and
As if to underscore Health and Human Services’ (“HHS”) commitment to electronic medical record interoperability and against information blocking, OCR closed out 2020 with a sweeping number of enforcement actions under its HIPAA Right of Access Initiative (“Initiative”). OCR also didn’t hesitate to act against another provider at the start of 2021, totaling the number of enforcement actions to 14, since the launch of its Initiative. OCR has promised to vigorously enforce the rights of patients to receive copies of their medical records without facing overcharges under the existing HIPAA rubric.
Generally, patients are permitted broad access to their health records. HIPAA provides an individual with a right of access to inspect and obtain a copy of the individual’s protected health information (“PHI”), as long as the PHI is maintained as a designated record set, does not constitute (i) psychotherapy notes; or (ii) information compiled in reasonable anticipation of litigation, or for use in a civil, criminal, or administration action or proceeding.1
HIPAA requires providers to respond to a patient’s request for access within 30 days from the date of the request.2 However, a provider is entitled to a single 30 day extension, if the provider provides the individual with a reason for the delay, and the date by which the individual will receive the requested records.3 HIPAA also restricts a covered entity from charging more than a reasonable, cost-based fee for copies of the records.
The majority of OCR’s settlements under its Initiative have involved a covered entity’s failure to provide the requestor with timely access to the requested records. For example, OCR entered into a settlement with Elite Primary Care (“Elite”) for its failure to provide a patient with access to his medical records for over a year, which resulted in a $36,000 payment to OCR. In an earlier settlement, the University of Cincinnati Medical Center, LLC (“UCMC”) paid $65,000 to OCR for failing to fulfill a patient’s request to have electronic health records sent to her lawyers.
OCR also acted against Riverside Psychiatric Medical Group (“RPMG”) for failing to provide a patient with access to her medical records. In its press release regarding the RPMG matter, OCR provided “the HIPAA Rules do not require production of psychotherapy notes, they do require covered entities to (1) provide requestors a written explanation when it denies any records request in whole or in part (which RPMG did not do), and (2) provide the individual access to his or her medical records other than psychotherapy notes.”
Most recently, Banner Health paid $200,000 to settle potential violations for HIPAA. OCR’s investigation revealed two complaints of Banner Health failing to respond to patients requests for records for several months, respectively. In the related press release, OCR Director Roger Severino, stated “[t]he first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records.”
While Providers must be aware of patients’ rights of access under HIPAA, they must also understand the circumstances in which restricting access to PHI may be required. Providers should enter their notes understanding that the patient will be able to read them, if requested, except for very narrow exceptions. Compliance with HIPAA can ultimately enhance patient relationships and prevent providers from incurring unnecessary and costly penalties.
For more information regarding individuals’ rights to their PHI under HIPAA, see here. If you have questions regarding HIPAA compliance, or other HIPAA-related questions, please contact Stacy Walton Long, Alexandria M. Foster or any other Krieg DeVault attorney in the Health Care Practice Group.
Disclaimer. The contents of this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult with counsel concerning your situation and specific legal questions you may have.
[1] 45 CFR § 164.524(a)(1).
[2] 45 CFR § 164.524(b)(2).
[3] 45 CFR § 164.524(b)(2)(i)(A-B).
January 27, 2021
By: Stacy Walton Long and
As if to underscore Health and Human Services’ (“HHS”) commitment to electronic medical record interoperability and against information blocking, OCR closed out 2020 with a sweeping number of enforcement actions under its HIPAA Right of Access Initiative (“Initiative”). OCR also didn’t hesitate to act against another provider at the start of 2021, totaling the number of enforcement actions to 14, since the launch of its Initiative. OCR has promised to vigorously enforce the rights of patients to receive copies of their medical records without facing overcharges under the existing HIPAA rubric.
Generally, patients are permitted broad access to their health records. HIPAA provides an individual with a right of access to inspect and obtain a copy of the individual’s protected health information (“PHI”), as long as the PHI is maintained as a designated record set, does not constitute (i) psychotherapy notes; or (ii) information compiled in reasonable anticipation of litigation, or for use in a civil, criminal, or administration action or proceeding.1
HIPAA requires providers to respond to a patient’s request for access within 30 days from the date of the request.2 However, a provider is entitled to a single 30 day extension, if the provider provides the individual with a reason for the delay, and the date by which the individual will receive the requested records.3 HIPAA also restricts a covered entity from charging more than a reasonable, cost-based fee for copies of the records.
The majority of OCR’s settlements under its Initiative have involved a covered entity’s failure to provide the requestor with timely access to the requested records. For example, OCR entered into a settlement with Elite Primary Care (“Elite”) for its failure to provide a patient with access to his medical records for over a year, which resulted in a $36,000 payment to OCR. In an earlier settlement, the University of Cincinnati Medical Center, LLC (“UCMC”) paid $65,000 to OCR for failing to fulfill a patient’s request to have electronic health records sent to her lawyers.
OCR also acted against Riverside Psychiatric Medical Group (“RPMG”) for failing to provide a patient with access to her medical records. In its press release regarding the RPMG matter, OCR provided “the HIPAA Rules do not require production of psychotherapy notes, they do require covered entities to (1) provide requestors a written explanation when it denies any records request in whole or in part (which RPMG did not do), and (2) provide the individual access to his or her medical records other than psychotherapy notes.”
Most recently, Banner Health paid $200,000 to settle potential violations for HIPAA. OCR’s investigation revealed two complaints of Banner Health failing to respond to patients requests for records for several months, respectively. In the related press release, OCR Director Roger Severino, stated “[t]he first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records.”
While Providers must be aware of patients’ rights of access under HIPAA, they must also understand the circumstances in which restricting access to PHI may be required. Providers should enter their notes understanding that the patient will be able to read them, if requested, except for very narrow exceptions. Compliance with HIPAA can ultimately enhance patient relationships and prevent providers from incurring unnecessary and costly penalties.
For more information regarding individuals’ rights to their PHI under HIPAA, see here. If you have questions regarding HIPAA compliance, or other HIPAA-related questions, please contact Stacy Walton Long, Alexandria M. Foster or any other Krieg DeVault attorney in the Health Care Practice Group.
Disclaimer. The contents of this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult with counsel concerning your situation and specific legal questions you may have.
[1] 45 CFR § 164.524(a)(1).
[2] 45 CFR § 164.524(b)(2).
[3] 45 CFR § 164.524(b)(2)(i)(A-B).