The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of three investigations concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s patient right of access provision. These cases are part of a collective effort, bringing the total 41 cases, to drive compliance on right of access under the law.
“These three right of access actions send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law,” said OCR Director Melanie Fontes Rainer. “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”
OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Rules, including the foundational right of access provision:
· OCR received a complaint in August 2020, alleging that a Chicago dental practice failed to provide a former patient with timely access to her complete medical records. The former patient requested her entire medical records in May 2020, but received only portions. The former patient filed a complaint with OCR, and during OCR’s investigation, the practice provided her with the remainder of her records in October 2020. Thus, the practice did not provide a complete copy of the records until more than five months after the request was made. OCR’s investigation determined that the practice’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. The practice agreed to pay $30,000 and implement a corrective action plan.
· In November 2020, OCR received a complaint alleging that a Georgia dental provider would not provide an individual with copies of her medical records because she would not pay their $170 copying fee. The individual first requested her records in November 2019, but did not receive them until February 2021, over a year later. OCR’s investigation determined that the practice’s failure to provide timely access to the requested medical records, and its practice of assessing copying fees that were not reasonable and cost-based, were potential violations of the HIPAA right of access provision. The practice agreed to pay $80,000 and implement a corrective action plan.
· In October 2020, OCR received a complaint alleging that a Nevada dental practice had failed to provide a mother with copies of her and her minor child’s protected health information. The mother submitted multiple record requests between April 11, 2020, and December 4, 2020, but the practice did not send the records until December 31, 2020, which was more than eight months after her initial request. OCR’s investigation determined that the practice’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. The practice agreed to pay $25,000 and implement a corrective action plan.
OCR’s guidance on the right of access is available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
Issue:
The Privacy Rule requires HIPAA covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. In providing access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part, no later than 30 calendar days from receiving the individual’s request. The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. A covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means. Individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day-to-day operations.
The Privacy Rule also permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information). The fee may include only the cost of: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual. The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.
Discussion Points:
- Review policies and procedures related to the HIPAA Privacy Rule’s patient right of access provision. Ensure the policies cover timely access and that fees are reasonable and cost based.
- Train all staff on the HIPAA Privacy Rule, minimally upon hire, annually, and if issues arise. Ensure that those who receive requests for record release are knowledgeable in the right of access provision which includes timely response and reasonable fees. Document that these trainings occurred and file the signed training document in the employee’s education file.
- Periodically audit to ensure that the facility’s policies and procedures for timely access to requested medical records are being followed by staff and that any associated costs are reasonable. Report audit results to the QAPI/QAA Committee.