Now is a great time for healthcare providers to assess their compliance with HIPAA’s right of access requirements. Not only is this a hot area of enforcement, patients’ rights to access medical records may become even more robust based on proposed changes to HIPAA that were released by HHS in December 2020.

Recent Enforcement Actions

Accessing their own health information allows patients to take greater control of their healthcare and can improve health outcomes. Therefore, patients’ right to access their protected health information (PHI) is a hallmark of the HIPAA Privacy Rule, and should be a compliance priority for healthcare providers. Healthcare providers that fail to provide patients with timely access to their medical records can face enforcement actions and hefty fines. Timely, according to the Privacy Rule, generally means a healthcare provider must act upon the request within 30 days.

In less than two years, the federal government has entered into 16 settlements with healthcare providers large and small for failing to respond appropriately to patient record requests. These settlements are part of the “Right of Access Initiative”, which was announced in 2019 by Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). Its goal is to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.

The government’s enforcement activity has shown no sign of slowing down in 2021. The latest settlement was announced on February 12, 2012, marking the third settlement of the new year.

Here is a sampling of settlements from the past six months:

  • In September 2020, a New York medical practice was required to pay $100,000 in a monetary settlement with the government for failing to provide a patient access to diagnostic films after she made multiple requests over the course of a year.
  • In October 2020, a New York doctor agreed to take corrective action and pay $15,000 for failing to provide a patient with timely access to her record and for failing to cooperate with the government’s investigation into the issue.
  • In February 2021, a Nevada health system agreed to pay $75,000 for failing to respond to a patient’s request that an electronic copy of her health record be sent to a third party. The health system also must undertake a corrective action plan and undergo two years of government monitoring as part of the settlement.

Each of these cases stems from a healthcare provider’s failure to respond appropriately to just one patient’s request for health records. OCR’s message is clear that it will take action against healthcare providers of all sizes, from large health systems to solo practitioners.

HIPAA’s Current Right of Access Standard

Under HIPAA, patients generally have the right to request access to inspect and obtain a copy of their health information. This right extends to a broad array of information including medical records, billing and payment records, insurance information, clinical laboratory test results, medical images (such as x-rays), and other types of health information.

  • A healthcare provider must act on a patient’s request for access within 30 days of receiving the request.

If the healthcare provider cannot fulfill the request within 30 days, it must provide the patient with a written notice of the reasons for the delay and the date by which the provider will act on the request. This notice must occur during the original 30 days window.

  • The healthcare provider may only extend the response time by an additional 30 days.
  • Healthcare providers cannot charge more than a reasonable, cost-based fee for providing copies of the patient’s records.

(For more details about the technical requirements and exceptions to the right of access standard, see 45 CFR § 164.524)

Proposed Changes to HIPAA

Under the proposed changes to the HIPAA Privacy Rule, healthcare providers would have half the time currently allotted to respond to record requests. The changes shorten the required timeframe for responding to patient record requests to no later than 15 days with the opportunity for an extension of no more than 15 days.

The proposed changes also clarify and expand on HIPAA’s right of access requirements, including:

  • Strengthening patients’ right to inspect their PHI in person, which includes allowing them to take notes or use other personal resources to view and capture images of their PHI
  • Reducing the identify verification burden on patients exercising their access rights
  • Creating a new pathway for patients to direct the sharing of PHI in an Electronic Health Record among different healthcare providers and health plans

The proposed changes to HIPAA can be viewed here, and are currently open for public comment through March 22, 2021. If the proposed changes are adopted, it would mark the first major update to HIPAA since 2013.

Takeaways

Based on recent enforcement activity and the proposed changes to HIPAA, providing patients with timely access to their health information is as important as ever.

  1. Healthcare providers should review their HIPAA Policies and Procedures and internal processes to ensure compliance with HIPAA’s current right of access requirements.
  2. Healthcare providers should prepare for faster response times to patient record requests and should work proactively to identify and tackle any hurdles in meeting the proposed 15-day deadline.
  3. Healthcare providers should evaluate what resources may be required to comply with the stricter right of access standards that may be coming down the pipeline.

The Woods Rogers Health Law practice group is monitoring the proposed changes to the HIPAA Privacy Rule and will provide updates on any changes or implementation.