A small New Jersey plastic surgery practice, Village Plastic Surgery (“VPS”), has become the eighteenth HIPAA covered entity to face an enforcement action under the Office for Civil Right’s HIPAA Right of Access Initiative. According to the OCR’s announcement, VPS agreed to a two-year corrective action plan and pay $30,000 to settle a potential HIPAA violation.
What is the “right to access” under HIPAA?
The HIPAA Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to PHI about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. This right applies for as long as the covered entity (or its business associate) maintains the information, regardless of the date the information was created, and whether the information is maintained in paper or electronic systems onsite, remotely, or is archived.
When implementing this rule, covered entities and their business associates have several issues to consider, such as:
- What information is subject to the right and what information is not, such as psychotherapy notes.
- Confirming the authority of “personal representative” to act on behalf of an individual.
- Procedures for receiving and responding to requests – such as written request requirements, verifying the authority of requesting parties, timeliness of response, whether and on what grounds requests may be denied, and fees that can be charged for approved requests.
- To assist covered entities (and business associates), the OCR provides a summary of right of access issues, as well as a set of frequently asked questions.
Resolution of OCR’s Eighteenth “Right of Access” Enforcement Action
The OCR’s investigation commenced in September 2019, when it received a complaint from a patient that VPS failed to timely respond to a patient’s records access request made in the prior month. According to the OCR resolution agreement, OCR determined that VPS’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days, if an extension is applicable).
In addition to reaching a monetary settlement of $30,000, the resolution agreement also requires VPS will have a corrective action plan (“CAP”) that includes two years of monitoring by the OCR. The CAP requires the small practice to, among other things
- revise its right of access policies,
- submit its right of access policies to OCR review,
- obtain written confirmation from staff that they read and understand the new right of access policies,
- train staff on the new policies, and
- every 90 days submit to OCR a list of requests for access from patients and VPS’ responses.
Providers receive all kinds of requests for medical and other records in the course of running their businesses. Reviewing and responding to these requests no doubt creates administrative burdens. However, buying forms online might not get the practice all it needs, and could put the practice at additional risk if those are followed without considering state law or are not implemented properly.
Putting in place relatively simple policies, carefully developing template forms, assigning responsibility, training, and documenting responses can go a long way toward substantially minimizing the risk an OCR enforcement action and its severity. Providers also should be considering sanctions under state law that also might flow from failing to provide patients access to their records. It is worth nothing that in some cases state law may be more stringent than HIPAA concerning the right of access, requiring modifications to the processes practices follow for providing access.