In late 2019, the Office for Civil Rights (OCR) at the United States Department of Health and Human Services (DHHS) announced it would be focusing its enforcement efforts under the Health Insurance Portability and Accountability Act (HIPAA) on the rights of patients to access their medical records promptly and without being overcharged for copies.
This pre-pandemic promise is being fulfilled despite COVID-19's unexpected visit, with 16 published settlements so far (through February 2021) ranging from $3,500 to $200,000 and averaging over $65,000 per settlement. The settlements have been made by all types of HIPAA-covered entities, including solo physicians, medical practices, non-profit agencies, and all sizes of hospitals. In addition to the monetary settlements (totaling over $1,052,500 through February 2021), each covered entity also entered into a corrective action plan, including one to two years of monitoring by OCR. All of these settlements have started with a patient complaint filed with OCR against the covered entity.
To keep the OCR at bay, HIPAA-covered entities must permit patients to inspect and obtain a copy of their protected health information (PHI), with very limited exceptions. Regardless of the seeming simplicity of this access right, there are numerous requirements contained in the HIPAA regulations and OCR guidance that may ensnare unwary covered entities, such as:
- Covered entities must respond to a patient's request for access to or copies of PHI (usually in the form of medical or billing records when the covered entity is a healthcare provider) no later than 30 days after receipt of the request by taking one of these actions: (a) providing the information as requested, (b) denying the request in writing (where permitted), or (c) notifying the patient in writing that an extension of time (limited to an additional 30 days) is needed and why. Some denials may be appealed by the patient.
- Covered entities must provide access to the requested information in the form and format requested by the patient, if readily producible in that form and format. If a patient asks for records in electronic format but the records are maintained in paper format, the covered entity may comply with the request by scanning and emailing the records to the patient.
- Covered entities may charge only limited fees to patients who have requested PHI for their own use. Patients may only be charged the actual cost of (a) labor for copying the PHI (not including labor used to identify, retrieve, collect, compile or collate the PHI), (b) supplies for a paper copy or electronic copy (such as the cost of a CD-ROM or USB), (c) postage for paper copies that the patient requests be sent by mail, and (d) preparation of an explanation or summary of the requested PHI, if agreed to by the patient in advance. Other costs may not be charged to patients who request PHI for their own use – even if state law would permit the provider to charge those costs. These noted limitations on the fees that may be charged only apply when the patient requests the records be provided to him or her: They do not apply when the patient requests that the records be provided to a third party, in which case state law regarding fees for medical records could be charged.
- Covered entities must have written policies regarding compliance with the patient's right of access and train employees regularly on those policies. One recommended policy is to require all requests for PHI to be made in writing: HIPAA already requires that patient requests for PHI to be provided to a third party must be in writing. So, requiring the patient to make requests for PHI for his or her own use in writing as well is reasonable and makes the process consistent for covered entities and their staff. Another recommendation is that the covered entity use a separate form for patients to request PHI and not use the HIPAA authorization form, which requests more information than is necessary to exercise the patient's right of access and which OCR has suggested may create impermissible obstacles to the patient's exercise of such right.
Here are a few lessons covered entities can learn from the 16 OCR settlements published so far:
- If OCR contacts you about a complaint from a patient stating you failed to provide the patient's requested records in compliance with HIPAA, then do not ignore the complaint OR the initial request that was made by the patient. In fifty percent of the published settlements, the covered entity was notified twice by OCR and could have avoided the settlement entirely if it had promptly complied with the first complaint before OCR received a second one regarding the same failure.
- Make sure your staff does not ignore complaints from patients regarding HIPAA's right of access and understands your policies regarding compliance. Not only could you face an investigation and settlement with OCR, but the North Carolina Medical Board also may take action against licensees for failure to provide medical records to patients upon request.
- Make sure you do not charge a patient more than the HIPAA allowed fees for a copy (paper or electronic) of the patient's requested records.
- While this right of access appears fairly simple on the surface, if you are unsure whether an individual may act as the patient's personal representative (generally a person with authority under state law to make healthcare decisions for an individual) and exercise the patient's right of access under HIPAA, or whether the requested information falls within one of HIPAA's limited exceptions to the patient's right of access, or whether you are calculating the fees for copies of requested information correctly, please do not hesitate to reach out to one of the Firm's healthcare attorneys for guidance so you can promptly comply with the required response under HIPAA. The DHHS website has a wealth of resources under its HIPAA for Professionals link as well.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.