In a recent HIPAA Journal publication, it was stated that the Health and Human Services (HHS) – Office for Civil Rights (OCR), issued a warning to healthcare providers, emphasizing the importance compliance with “HIPAA Right of Access,” which is also part of the 21st Century Cures Act.
They announced that the total number of financial penalties imposed under the HIPAA Right of Access Enforcement Initiative up to 38. In their statement, they announced that more than 11 financial penalties for entities covered by HIPAA, such as hospitals and medical practices, have failed to provide patients with timely access to their medical records upon request.
Right of individuals under HIPAA to access their health information 45 CFR § 164.524
The HIPAA right of access gives people the right to inspect their protected health information that is held by a HIPAA-covered entity, check the information for errors, and request that any errors be corrected. People can also request a copy of their protected health information (PHI) from health care providers and health plans.
When such a request is made, the requested information must be provided in full within 30 days of receipt of the request. In very limited circumstances, a 30-day extension is permitted. Requests may be submitted by patients or their designated representatives, and parents and legal guardians of minors are permitted to obtain a copy of their minor’s records. Anyone requesting a copy of their records may only be charged a reasonable, cost-based fee for obtaining a copy of their records. Records must be provided in the format requested by the patient, provided the HIPAA-covered entity has the technical ability to provide records in that format.
Additionally, if the patient wishes to have their records saved in a HIPAA-protected phone application or digital access, and the physician or facility from which that information is requested has that capability, that is how they must be provided. If the HIPAA-covered entity does not have this particular delivery platform, they can ask HHS-OCR to help implement this electronic capability. There is also an option to direct the patient to their EMR, password-protected patient portal, as long as the patient receives easily accessible instructions for use and agrees to this form of delivery.
The OCR launched its HIPAA Right of Access Enforcement Initiative in the fall of 2019 in response to reports of widespread non-compliance with this important HIPAA right. “It shouldn’t take a federal investigation before a HIPAA-covered entity gives patients, or their personal representatives, access to their medical records,” said OCR Director Lisa J. pino. “Healthcare organizations should take note that there are now 38 enforcement actions in our Right of Access initiative and understand that OCR is serious about upholding the law and the fundamental right of people quick access to their medical records.”
Likely interference or blocking of information
It would likely be considered interference for the purposes of blocking information if a health care provider established an organizational policy that, for example, imposed delays in the release of lab results for any period of time in order to allow a prescribing clinician to examine the results or in order to personally inform the patient of the results before a patient can electronically access these results (see also 85 FR 25842 specifying that such a practice is not eligible for the exception “Prevention of Harm”).
To illustrate further, this would also likely be considered interference:
- where a delay in access, redemption or use occurs after a patient logs into a patient portal to access EHI available to a healthcare provider (including, for example, lab results) and that EHI is not available—for any period of time—through the portal.
- in the event of a delay in providing a patient’s EHI (electronic health information) via an API (application programming interface or healthcare application) to an application that the patient has authorized to receive their EHI .
HIPAA Right of Access Penalties
According to the HIPAA Journal, the latest penalties were all imposed for failing to provide prompt access to an individual’s medical records, rather than charging unreasonable fees for exercising the right of access. All but one of these cases were resolved with the OCR, with covered entities also agreeing to a corrective action plan to address the non-compliance and prevent further violations.
A HIPAA-covered entity refused to cooperate with OCR requests, resulting in a civil monetary penalty. ACPM Podiatry had received a request from a former patient for a copy of his medical records. The OCR was informed on April 8, 2019 that the CMPA had refused to provide these documents. OCR provided technical assistance to the CMPA on April 18, 2019, confirming that records must be provided under HIPAA. A second complaint was then lodged with the OCR a month later when the files had still not been provided.
What’s worth noting is that many HIPAA-covered entities believe that if the patient has an outstanding balance with that entity or doctor’s office, they may retain the patient’s records based on that issue. This is an incorrect assumption.
OCR’s investigation into ACPM Podiatry found the records were withheld because the complainant’s insurance company failed to pay the bill, but the complainant said the records were needed to appeal the decision unfavorable and that the records were necessary to file this appeal. Although there has been contact between the OCR and the CMPA Podiatry, the CMPA has not responded to the OCR’s data access requests, in the opinion of the OCR regarding the determination proposed monetary penalty, nor to the letter of opportunity to provide evidence of mitigating factors, resulting in the imposition of a civil monetary penalty.
You cannot ignore these patient requests or OCR requests. The release of a patient’s ePHI is not conditional on whether or not the invoice has been paid in full. The table below reflects some of the recent penalties applied by OCR for blocking information, and they publish those entities and the penalties.
Source: HIPAA Journal July 2022
Note on programming: Listen live today when Terry Fletcher reports on this developing story during Talk Ten Tuesdays, 10 Eastern.