Office of Civil Rights Warns Patient Right of Access to Medical Records Can’t be Denied

In a recent HIPAA Journal publication, it was stated that the Health and Human Services (HHS) – Office for Civil Rights (OCR), has issued a warning to healthcare providers, focusing on the importance of compliance with the “HIPAA Right of Access,” that is also a part of the 21st Century Cures Act.

They announced that the total number of financial penalties imposed under the HIPAA Right of Access enforcement initiative up to 38. In their statement, they announced that more than 11 financial penalties for HIPAA-covered entities, such as hospitals, and physician practices, failed to provide patients, when requested, timely access to their medical records.

Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524

The HIPAA Right of Access gives people the right to inspect their protected health information that is held by a HIPAA-covered entity, check the information for errors, and request that any errors are corrected. People can also request a copy of their protected health information (PHI) from healthcare providers and health plans.

When such a request is made, the requested information must be provided in full within 30 days of the request being received. In very limited circumstances, an extension of 30 days is allowed. Requests can be submitted by patients or their nominated representatives, and parents and legal guardians of minors are permitted to obtain a copy of their minor’s records. Any individual requesting a copy of their records can only be charged a reasonable, cost-based fee for obtaining a copy of their records. The records should be provided in the format requested by the patient, provided the HIPAA-covered entity has the technical capability to provide records in that format.

Further, if the patient wants their records in a phone app, or digital access that is HIPAA protected, and the physician or facility that this information is being requested from, has that capability, then this is how it must be delivered. If the HIPAA-covered entity does not have that particular platform of delivery, they can ask the HHS-OCR to assist in implementing that electronic capability. There is also an option to direct the patient to their EMR, password protected patient portal, as long as the patient is given easily accessible instructions for use, and agrees to that form of delivery.

OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019 in response to reports of widespread noncompliance with this important HIPAA right. “It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino.  “Healthcare organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”

Likely Interference or Information Blocking

It would likely be considered an interference for purposes of information blocking if a health care provider established an organizational policy that, for example, imposed delays on the release of lab results for any period of time in order to allow an ordering clinician to review the results or in order to personally inform the patient of the results before a patient can electronically access such results (see also 85 FR 25842 specifying that such a practice does not qualify for the “Preventing Harm” Exception).

To further illustrate, it also would likely be considered an interference:

• where a delay in providing access, exchange, or use occurs after a patient logs in to a patient portal to access EHI that a health care provider has (including, for example, lab results) and such EHI is not available—for any period of time—through the portal.
• where a delay occurs in providing a patient’s EHI (electronic health information) via an API (application programming interface or healthcare app) to an app that the patient has authorized to receive their EHI.

HIPAA Right of Access Penalties

Per the HIPAA Journal, the latest penalties were all imposed for the failure to provide timely access to an individual’s medical records, rather than for charging unreasonable fees for exercising the Right of Access. All but one of these cases was settled with OCR, with the covered entities also agreeing to a corrective action plan to address the non-compliance and prevent further violations.

One HIPAA-covered entity refused to cooperate with OCR’s requests, resulting in a civil monetary penalty. ACPM Podiatry had received a request from a former patient for a copy of his medical records. OCR was notified on April 8, 2019, that ACPM had refused to provide those records. OCR provided technical assistance to ACPM on April 18, 2019, confirming that the records must be provided under HIPAA. A second complaint was then filed with OCR a month later when the records had still not been provided.

What is of note, is that many HIPAA-covered entities believe that if the patient has an outstanding balance with that entity or physician practice that they can hold the patient’s records based on that issue. That is an inaccurate assumption.

OCR’s investigation into ACPM Podiatry revealed the records had been withheld as the complainant’s insurance company had not paid the bill, but the complainant said the records were required in order to appeal the unfavorable decision, and that the records were necessary to file that appeal. While there was contact between OCR and ACPM Podiatry, ACPM failed to respond to OCR’s data access requests, OCR’s notice of proposed determination of a financial penalty, nor the Letter of Opportunity to provide evidence of mitigating factors, resulting in a civil monetary penalty being imposed.

You cannot ignore these patient requests or the requests from the OCR. The release of a patient’s ePHI is not conditional on whether or not their bill is paid in full. The below table reflects some of the recent penalties enforced by OCR for information blocking, and they do publish these entities and the penalties.

Source: HIPAA Journal July 2022

Programming note: Listen live today when Terry Fletcher reports this developing story during Talk Ten Tuesdays, 10 Eastern.

References:

https://www.hipaajournal.com/ocr-announces-11-further-financial-penalties-for-hipaa-right-of-access-failures/

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html