The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) announced on July 15, 2022, that it has resolved 11 investigations conducted under the Health Insurance Portability and Accountability Act (“HIPAA”) Right of Access Initiative. These settlements remind providers that, as OCR Director Lisa J. Pino stated, “OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.” With these latest settlements, OCR has resolved 38 enforcement actions in its Right of Access Initiative, which continues to have momentum.

The goal of the Right of Access Initiative is to highlight and enforce an individual’s right to access protected health information (“PHI”) in their own medical records and the covered entity’s obligation to timely provide such records. An individual’s complaint to OCR because a covered entity or its business associate failed to respond to an individual’s request for records within 30 days often triggered the HIPAA Right of Access Initiative investigations.

Key Takeaways from the Resolution Agreements

The resolution agreements and corrective action plans from these 11 enforcement actions offer healthcare providers and other covered entities reminders of the types of activities that can run afoul of the HIPAA Privacy Rule right of access:

• Do not ignore requests and other communications from OCR. For example, in response to a second complaint from a patient, OCR issued a data request to a podiatry practice.  When the practice did not timely respond to the data request, OCR twice called the practice and spoke with a workforce member who was not a physician, but who confirmed receipt of the data request. OCR then sent a letter via certified mail reminding the practice of its obligation to comply with the data request.  The practice failed to ever contact the OCR investigator or respond when OCR sent a Letter of Opportunity that gave the practice the chance to submit evidence of mitigating factors that OCR should consider in imposing civil monetary penalties (“CMP”).  OCR ultimately imposed a CMP of $100,000 against the practice.
• Comply with technical assistance that OCR provides in response to a complaint.
• Recognize that failing to timely respond to an individual’s request for their records may have consequences for the individual. In one case, the covered entity did not timely provide records that the individual needed to timely appeal a decision made by a health insurance company.
• When determining the amount of CMP, OCR considers, among other factors, the financial condition of the covered entity.  In one case, the covered entity did not provide OCR with any information in response to a request for mitigating evidence, so OCR reviewed available information, including the covered entity’s Medicare reimbursements over the prior seven years, to determine the CMP.
• Providers cannot deny a patient access to their PHI because the patient has an outstanding balance.
• Records provided to a patient must be complete.
  • One covered entity provided a limited record abstract instead of the complete medical record that the patient requested.
• A workforce member’s misunderstanding about a patient’s access rights does not excuse the failure to provide requested records.
• Covered entities must recognize a personal representative of a patient.
  • For example, a mother, acting as her son’s healthcare proxy, requested his medical records and did not get timely access.  In another case, the covered entity was required to provide medical records to a patient’s daughter since she was her mother’s personal representative.

• The size and type of provider does not matter. OCR will pursue corrective action against large and small healthcare providers of all types who fail to timely respond to patients’ requests for copies of their records.  The parties to the latest settlement agreements include a podiatry practice, a nursing and rehabilitation facility, a health system, a surgical group practice, a dental practice, and a public benefit corporation that operates a hospital.

Notable Requirements for Covered Entities in the Corrective Action Plans

The resolution agreements also offer useful insight into how to properly comply with record requests.  More noteworthy corrective actions include requirements that the covered entities:

• Distribute updated right of access policies and procedures to workforce members and relevant business associates and obtain a signed written or electronic compliance certification from them stating they have read and will comply with those policies and procedures.
• Include particular content in the policies and procedures including, for example:
  • an accurate definition of a “Designated Record Set”;
  • standardized procedures for responding to requests;
  • protocols for those involved in receiving or fulfilling access requests, as well as those maintaining record sets;
  • a requirement that individuals be provided with a complete copy of their record upon request rather than a limited record abstract;
  • a provision that individuals who request their PHI are to be provided with access to PHI in the form and format requested or, if it is not readily producible in such form or format, in a readable hard copy form or such other form as agreed to by the covered entity and the individual;
  • a policy ensuring an appropriate response to individuals’ requests for access directing the covered entity to transmit copies directly to a designated third party;
  • protocols reasonably designed to verify the identity and authority of a personal representative for the purposes of a request for access to PHI; and
  • a statement that the covered entity may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action toward any individual for filing a complaint, testifying against, or opposing a practice.
• Investigate whether members of the workforce have failed to comply with access policies and procedures and notify HHS of any violations.
• Specify by title which workforce members must receive a copy of the right of access policy and training on the new policies.
• Post policies and procedures in particular locations at the covered entity, such as employee break rooms, locker rooms, and time clocks.
• Apply appropriate sanctions against workforce members if they continue to fail to comply with new policies and procedures.
• Require the covered entity to submit to OCR every 90 days a list of all access requests from patients or patient personal representatives, including the date the request was received, the date the request was completed, the format requested, the format provided, the number of pages if provided in paper format, and cost, excluding postage.

Conclusion

These enforcement actions highlight the need for covered entities to verify proper HIPAA protections are in place to protect an people’s right to receive timely access to their PHI. Specifically, healthcare providers should assess their existing policies and procedures implementing HIPAA’s right of access against the corrective actions OCR imposed in its most recent settlements and close any gaps.  Providers should also review how their business associates are responding to patient requests for PHI, as many Right of Access Initiative complaints involved a business associate’s failure to appropriately and/or timely respond to an individual’s request for PHI.  Akerman’s healthcare attorneys are available to assist with HIPAA Privacy Rule right of access compliance.