Right-of-access enforcement actions help patients control their health information  

OCR's Right of Access Initiative

CJ Wolf. MD provides enforcement action summaries for the YouCompli blog. These summaries provide real-world examples of regulators’ response to practices that don’t fully comply with regulations. This month’s article looks at privacy-related incidents.   

Imagine you request your complete medical records from a provider, but you only received a portion of those records. You file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). The provider sends the complete record during the OCR’s investigation – five months after you requested it. In that time, your new provider or specialist had to repeat tests, or you were unable to move forward with important life decisions.  

Unfortunately, this scenario is not uncommon. In fact, OCR posted a press release about a recent occurrence just last month. As a result of the OCR’s investigation a health care provider will pay $30,000 for this potential violation of the HIPAA right of access provision. The provider also agreed to implement a one-year corrective action plan (CAP) between themselves and OCR. 

This announcement brought the total number of OCR enforcement actions under their right of access initiative to 41.  

Copying fees lead to delay in records release 

In another case recently announced by OCR, a dental and orthodontics provider in Georgia agreed to pay $80,000 and implement a CAP. In this scenario, the patient alleged she requested copies of her medical records, but the practice withheld the records. The practice was requiring a $170 copying fee. OCR investigated and determined the practice failed to provide the patient with timely access and that the copying fee was not reasonable, and cost-based. As OCR has previously pointed out, it is preferred a patient is not charged at all for requesting their medical records.  However, if an entity is going to charge a patient a fee, the fee may include only the cost of certain labor, supplies, and postage.  In this case it appears OCR felt the $170 fee was not an appropriate amount for this particular request. 

Dental practice also subject to timely records release rule 

In a third case, it was alleged a Las Vegas dentist did not provide a mother with her and her minor child’s information until eight months after her initial request. OCR investigated and determined that the failure to provide the records in a timely manner potentially violated the HIPAA right of access provision. The dental practice paid $25,000 and agreed to a CAP. 

“Patients have a fundamental right” to their medical records 

Referring to these three cases, the director of OCR stated, “These three right of access actions send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law. Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.” 

In addition to the settlement announcements themselves, compliance professionals with HIPAA privacy oversight responsibilities can also learn a great deal from the corrective action plans that these and other entities have entered into with the OCR. The corrective action plans give a glimpse into OCR’s expectations in relation to HIPAA compliance. 

The following are some of the obligations found in the corrective action plans: 
  • Policies and Procedures: Develop, maintain, and revise, as necessary, written access policies and procedures to comply with Federal standards. The standards that govern the privacy of individually identifiable health information are 45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule.” 
  • Distribution and Updating of Policies and Procedures: Distribute the policies and procedures to members of the workforce and relevant business associates. Be sure to share the policies and procedures with new members of the workforce within 30 days of their beginning of service. Assess, update, and revise, as necessary, the policies and procedures at least annually or as needed. Within 30 days of the effective date of substantive revisions, distribute the revised policies and procedures to members of your workforce and relevant business associates.  
  • Minimum Content of Policies and Procedures:  
    • Designated Record Set Policy contained within its Right of Access to PHI policy to ensure comprehensive responses to requests for records. 
    • Release of Information form to ensure patients have the option to request their entire designated record set. 
    • Protocols for training all workforce members and business associates that are involved in receiving or fulfilling access requests.  
    • Application of appropriate sanctions against workforce members who fail to comply with the policies and procedures.
    • Designation of one or more individuals who are responsible for ensuring business associate agreements are properly executed with any business associates involved in access responsibilities under the Privacy Rule. 
  • Training: 
    • Provide training for each workforce member and relevant business associate and to each new colleague within 30 days of their beginning of service. 
    • Each colleague who is required to attend training shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date training was received. All course materials shall be retained 
    • Review the training at least annually. Update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments 

It should not require a corrective action plan for covered entities and business associates to proactively address their HIPAA compliance programs. OCR offers guidance documents in this regard. As it specifically relates to the HIPAA right of access provision, OCR has offered guidance. OCR has been demonstrating its commitment to right of access compliance for the last few years. The three recent settlements addressed in this brief are just the latest to be announced. OCR does not appear to be slowing down in this particular area of enforcement.  

Compliance professionals should make sure the patient-facing team is equipped to meet OCR’s right of access provisions. This includes: checking and distributing polices, performing and documenting appropriate training, and auditing or monitoring current processes. You can help your organization stay in compliance and ensure patients get what they need with these steps.  

Don’t miss enforcement action articles from CJ Wolf. Register for emails from YouCompli

Managing regulatory change is crucial to avoid enforcement actions. YouCompli is the only healthcare compliance solution that combines actionable, regulatory analysis with a simple SaaS solution to help you manage regulatory change. Read more about the rollout and accountability of requirements or schedule a demo.  

Get a personal tour of YouCompli.