Publication

Patients' Right of Access Remains an Important Issue for HIPAA Compliance

Privacy & Cybersecurity Newsletter
Summer 2021

Under the Health Insurance Portability and Accountability Act (“HIPAA”), individuals have the right, with some limited exceptions, to access their protected health information (PHI) maintained in a designated record set by a covered entity or the covered entity’s business associate. The HIPAA Privacy Rule permits individuals to inspect or obtain a copy of the PHI, as well as to instruct the covered entity to transmit the individual’s PHI to a designated person or entity. HIPAA currently requires a covered entity to respond to an individual’s right of access request within 30 days after receipt of the request, with an option for a thirty day extension upon providing a written explanation with the date by which the entity will complete the request to the requesting individual. A covered entity’s failure to timely respond to an individual’s right of access request is considered a violation of the HIPAA Privacy Rule.

In 2019, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced the creation of its Right of Access Initiative, intended to support individuals’ right of timely access to their health records. Since the creation of the Right of Access Initiative, there has been substantial enforcement activity related to covered entities’ alleged failures to provide individuals with timely access to their health records. At present time, OCR has settled 18 investigations related to its Right of Access Initiative. Since the beginning of 2021 through the end of April 2021, five of the six OCR-announced settlements have concerned the HIPAA Right of Access Initiative, and include as follows:

  • On January 12, 2021, OCR announced that Banner Health agreed to take corrective actions and pay $200,000 to settle potential violations of the HIPAA Privacy Rule’s right of access standard. OCR received two complaints filed against Banner Health entities alleging violations of the HIPAA Right of Access standard. The first complaint alleged that an individual requested access to her medical records in December of 2017 but did not receive the records until May 2018. The second complaint alleged that an individual requested access to his records in September 2019 but the records were not received until February 2020.
  • On February 10, 2021, OCR announced that Renown Health, P.C. agreed to take corrective actions and pay $75,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. OCR received a complaint alleging that Renown Health failed to timely respond to a patient’s request that an electronic copy of her protected health information, including billing records, be sent to a third party.
  • On February 12, 2021, OCR announced that Sharp HealthCare agreed to take corrective actions and pay $70,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. OCR received a complaint alleging that Sharp HealthCare failed to timely respond to a patient's records access request directing that an electronic copy of the patient’s electronic health record be sent to a third party. OCR provided Sharp HealthCare with technical assistance on the HIPAA Right of Access requirements. Subsequently, OCR received a second complaint alleging that Sharp HealthCare still had not responded to the patient's records access request. OCR initiated an investigation and determined that Sharp HealthCare failed to provide timely access to the requested medical records.
  • On March 24, 2021, OCR announced that Arbour Hospital (“Arbour”) agreed to take corrective actions and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. OCR received a complaint alleging that Arbour failed to take timely action in response to a patient's records access request, and provided Arbour with technical assistance regarding the HIPAA Right of Access requirements. Subsequently, OCR received a second complaint alleging that Arbour still had not responded to the same patient's records access request. OCR initiated an investigation and determined that Arbour failed to provide timely access to the requested medical records.
  • On March 26, 2021, OCR announced that Village Plastic Surgery (“VPS”) agreed to take corrective actions and pay $30,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. OCR received a complaint alleging that VPS failed to take timely action in response to a patient's records access request. OCR’s investigation revealed that VPS failed to timely respond to the patient’s request.

In addition to the recent right of access enforcement actions, on January 21, 2021, HHS released proposed modifications to the HIPAA Privacy Rule that, if passed, will impact an individual’s right of access. HHS is proposing to modify the HIPAA Privacy Rule to shorten a covered entity’s response time for right of access requests to no later than 15 calendar days (with the possibility of a one-time 15 calendar day extension). HHS is also proposing to expressly prohibit a covered entity from imposing unreasonable measures on an individual exercising the right of access that create a barrier of access or unreasonably delay. An unreasonable measure would include, for example, requiring the use of a form that requests extensive information from the individual that is not truly necessary to fulfill the request. The comment period for the proposed rule changes closed on May 6, 2021.

It remains to be seen whether HHS will enact the proposed modifications related to an individual’s right of access under the HIPAA Privacy Rule. Nonetheless, covered entities should continue to ensure individuals have timely access to their health records or risk costly enforcement action.

AUTHORS
RELATED SERVICES
RELATED NEWS & EVENTS