Under the Health Insurance Portability and Accountability Act (“HIPAA”), individuals have the right, with some limited exceptions, to access their protected health information (PHI) maintained in a designated record set by a covered entity or the covered entity’s business associate. The HIPAA Privacy Rule permits individuals to inspect or obtain a copy of the PHI, as well as to instruct the covered entity to transmit the individual’s PHI to a designated person or entity. HIPAA currently requires a covered entity to respond to an individual’s right of access request within 30 days after receipt of the request, with an option for a thirty day extension upon providing a written explanation with the date by which the entity will complete the request to the requesting individual. A covered entity’s failure to timely respond to an individual’s right of access request is considered a violation of the HIPAA Privacy Rule.
In 2019, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced the creation of its Right of Access Initiative, intended to support individuals’ right of timely access to their health records. Since the creation of the Right of Access Initiative, there has been substantial enforcement activity related to covered entities’ alleged failures to provide individuals with timely access to their health records. At present time, OCR has settled 18 investigations related to its Right of Access Initiative. Since the beginning of 2021 through the end of April 2021, five of the six OCR-announced settlements have concerned the HIPAA Right of Access Initiative, and include as follows:
In addition to the recent right of access enforcement actions, on January 21, 2021, HHS released proposed modifications to the HIPAA Privacy Rule that, if passed, will impact an individual’s right of access. HHS is proposing to modify the HIPAA Privacy Rule to shorten a covered entity’s response time for right of access requests to no later than 15 calendar days (with the possibility of a one-time 15 calendar day extension). HHS is also proposing to expressly prohibit a covered entity from imposing unreasonable measures on an individual exercising the right of access that create a barrier of access or unreasonably delay. An unreasonable measure would include, for example, requiring the use of a form that requests extensive information from the individual that is not truly necessary to fulfill the request. The comment period for the proposed rule changes closed on May 6, 2021.
It remains to be seen whether HHS will enact the proposed modifications related to an individual’s right of access under the HIPAA Privacy Rule. Nonetheless, covered entities should continue to ensure individuals have timely access to their health records or risk costly enforcement action.