On September 15, 2020, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) announced that it settled five separate investigations, each involving a patient’s right of access to his/her protected health information (“PHI”). By way of background, OCR announced a “HIPAA Right of Access Initiative” in 2019, signaling to covered entities that patients’ right of access to PHI was one of the agency’s enforcement priorities. With the addition of these five settlements, OCR has now settled seven enforcement actions under this initiative and firmly established that patient access to PHI is an area of concern.
These five settlements brought a range of penalties. On the low end, OCR assessed a penalty of $3,500 on a small psychiatric provider in Virginia; however, on the high end, OCR assessed a $75,000 penalty on a large mental health provider in Massachusetts. All five of these settlements stemmed from patient or patient representative complaints to OCR when the individuals faced barriers to obtaining the PHI requested. Notably, in three of the five matters, OCR provided the covered entity with technical assistance after the initial complaint. However, upon receiving a second complaint in each case, OCR initiated investigations, which each resulted in a settlement and corrective action plan. Each of the corrective action plans contained similar requirements, including, but not limited to: policy/procedure development and approval from OCR; training on the policies and procedures; and mandated reporting to OCR regarding the number of access requests received and the timing of the covered entity’s responses to such requests.
Health care organizations should take care to review the access requirements in order to avoid OCR scrutiny. As health care organizations are already aware, HIPAA requires covered entities to provide individuals with access to their health information within thirty days following receipt of a request. However, if there is a legitimate reason that a covered entity needs an extension, a covered entity may take an additional thirty days so long as it provides the individual with notice of such reason. Under limited circumstances, covered entities may charge a reasonable cost-based fee for copies of such records. OCR has previously provided sub-regulatory guidance on how to calculate this fee. However, if covered entities send records electronically, there should be no charge.
OCR emphasized in its press release that “[p]atients cannot take charge of their health care decisions, without timely access to their own medical information.” Notably, the timing of these settlements aligns with the Center for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator (“ONC”) Information Blocking Final Rules. The crux of these rules is to allow for the free flow of PHI, which dovetails HIPAA’s rights surrounding individuals’ access to PHI.