OCR Increases Focus on HIPAA's Right of Access
Under HIPAA, individuals have the right to review and obtain copies of their records. Covered entities are required to follow specific procedures when individuals request to see their records. Additionally, HIPAA permits covered entities to restrict an individual’s right to access records under specific circumstances, such as a professional judgment is made that granting access would endanger the life or safety of the individual or someone else. However, a denial of access must follow specific requirements.
In addition to HIPAA, there are other federal and state laws that grant individuals a right of access to records that may also apply. Not all of these other laws are preempted by HIPAA – they may need to be followed along with HIPAA. For instance, many state laws impose greater restrictions on how much individuals can be charged for a copy of their records.
The Office of Civil Rights (“OCR”) within the U.S. Department of Health and Human Services has recently stepped up enforcement of HIPAA’s right of access requirements and announced several enforcement actions against covered entities that have failed to comply. For example:
A California specialty clinic was fined $15,000 for refusing to give a patient access to her medical records. In addition to the fine, the clinic was required to enter into a corrective action plan and be monitored for compliance for two years.
Massachusetts-based Beth Israel Lahey Health Behavioral Services was fined $70,000 for failing to timely give access to records to the personal representative of a deceased patient’s estate. The provider was required to enter into a corrective action plan and be monitored for one year.
A Phoenix, Arizona, hospital was fined $160,000 for failing to appropriately respond to a parent’s multiple requests to access her child’s records. The hospital entered into a corrective action plan and will have its compliance monitored for two years.
Based on these and other recently announced enforcement actions, OCR appears to be aggressively responding to complaints on failures to grant access to records. Actions based on the complaint of a single patient are resulting in hefty penalties.
In light of OCR’s activities, covered entities should take the following steps to ensure it is complying with HIPAA’s right of access requirements:
Review your policies on patients’ access to their medical records. Check whether your policies comply with HIPAA and other applicable laws, such as 42 C.F.R. Part 2 Rules on substance use disorder record and state laws. Remember: HIPAA generally gives way to other laws that give patients a greater right of access to their records. If your organization does not have these policies, they should be created and implemented as soon as possible.
Organizations should also review their policies concerning authorized representatives who are legally permitted to invoke rights under HIPAA for the patient. Several of OCR’s enforcement actions involve failures to appropriately respond to requests made by authorized representatives.
Conduct a spot check of your organization’s compliance with the HIPAA right of access requirements and see how familiar your health information staff is with HIPAA’s right of access.
Conduct periodic training on the HIPAA right of access to ensure staff appropriately respond to a request for access.
If you have questions about HIPAA’s right of access, other federal or state laws that give patients a right to access their information, or how your organization can ensure its own compliance, please feel free to contact Mike Burian, Ben Townsend, Steve Johnson, or Taylor Fawns at Kozak & Gayer.