This month, OCR announced that it had settled five more investigations and enforcement actions under its HIPAA Right of Access Initiative. OCR first announced its HIPAA Right of Access Initiative in 2019. The HIPAA Right of Access Initiative is focused on enforcing patients’ rights to quickly get copies of their medical records without being overcharged. However, it is important to note that the HIPAA Right of Access Initiative does not impact the Ciox decision and the HHS announcement that the patient rate limitation does not apply to requests for patient records to be sent to third parties.
In 2019, OCR settled two cases in its HIPAA Right of Access Initiative for $85,000 each – one case settled against a Florida hospital and the other case settled against a Florida-based comprehensive care and pain management company.
Of the five recently settled cases, three of the five cases settled after OCR had received two complaints. After the first complaint that the covered entities had failed to provide the patient or personal representative with the requested record, OCR provided technical training to the covered entities. After the second complaint that the covered entities had not provided the requested records, OCR brought an enforcement action. The enforcement actions were settled for $38,000, $3,500, and $10,000 and each covered entity entered into a corrective action plan with OCR.
The two other cases settled after OCR received only one complaint. A California-based multi-specialty clinic settled with OCR for $15,000 after it allegedly refused a patient access to her records. The complaint was filed just three months after the patient made her request to inspect and receive a copy of her records underscoring the importance of promptly responding to requests.
When determining the settlement amount, OCR takes into account the entity’s financial condition, the entity’s past compliance, the nature and extent of the harm, and the nature and extent of the violation.
The Privacy Rule gives patients the right to access their “designated record sets,” a group of records that is maintained by or for a covered entity. The designated record set is made up of not only medical records, but also billing records, enrollment forms, claims adjudication documents, and any document used by or on behalf of the covered entity to make decisions about an individual. A covered entity should draft policies that clearly describe what is included in their designated record set so that it can easily and quickly retrieve and provide the record set to the requesting patient. Business associates may also be required to provide access to and maintain designated record sets on behalf of covered entities pursuant to a business associate agreement so it is important to work with counsel to review and draft business associate agreements that clearly outline each party’s responsibility for granting patients access to their designate record sets.
OCR’s press release regarding the settlements is available here.