While the HIPAA Right of Access rule was first passed into law as part of the 2013 HIPAA Omnibus Rule, the Office for Civil Rights (OCR) has been cracking down hard on violators of this rule in recent years. This provision requires covered entities to provide patients with a copy of their medical records in the form and format requested, or another agreed upon form, within 30 days of the initial request. If the covered entity is unable to fulfill the request in that timeframe, they may notify the patient in writing that they will need a 30-day extension. This notification must also notify the requestor of the date on which the records will be provided and only one extension is permitted.
In early 2019, the OCR announced its Patient Right of Access Initiative, under which it would give special focus to patient claims that they were denied timely access to their medical records. This effort got off to a slow start , with only two settlements by the end of that year. In 2020, however, the crackdown ramped up considerably. In fact, in 2020 alone, OCR settled no less than eleven enforcement actions under the Right of Access Initiative, with the highest at a staggering $200,000. And it appears they aren’t slowing down in 2021, either, with several high-dollar settlements already being completed.
The Right of Access Initiative Isn’t Slowing Down in 2021
As of the writing of this article, OCR has settled a total of eighteen Right of Access cases, with fines totaling over $1 million. Several of these have happened just recently.
On February 12, 2021, OCR announced a settlement against the Sharp Rees Stealy Medical Center, forcing them to pay a $70,000 fine due to a complaint stating they failed to take timely action in providing a patient with an electronic copy of PHI.
More recently, on March 24, 2021 OCR announced a seventeenth settlement as part of an enforcement action in its HIPAA Right of Access Initiative. In this settlement, Arbour Hospital agreed to take corrective action as well as pay a fine of $65,000. This was due to a complaint that Arbour failed to take timely action in response to a patient's records access request made in May of 2019. Then another complaint was filed against them in July of 2019, alleging that Arbour still had not responded to the same patient's records access request. In the end, Arbour did not provide the patient with records until November 2019, over five months after the initial request.
Just two days later, on March 26, 2021, OCR announced its eighteenth settlement in the initiative. This time, the practice was ordered to take corrective action and pay a fine of $30,000 for failing to take timely action in response to a patient’s request for records that was submitted in August 2019. In fact, they did not provide the records until they were already under investigation by OCR.
Why is This Happening Now?
You may be wondering why this crackdown has only begun in recent years? Why not right from the start? This surge in cases is likely being fed by the fact that healthcare consumers have become much more aware of their rights under HIPAA, as well as the fact that systemwide care coordination requirements have increased. As a result, record requests are becoming more frequent, and patients are becoming much more apt to file complaints with the OCR when these requests go unfulfilled.
It is also important to note that these cases are most likely not being caused by ignorance of the law (which is not a legal defense, in any case). What may be causing so many healthcare systems and practices to be caught up in Right of Access cases is failing to create and implement good processes to track when these requests come in and to ensure they are being fulfilled.
Create a Process to Avoid Violations
One of the primary things your practice needs to do is make sure you have a policy for how you will provide patients with their records, as well as a process that allows you to track those requests as they come in and confirm (and document) the fulfillment of these requests (in case someone files a false complaint). You should be reviewing these requests no less than every 30 days to make sure that you have not missed a requirement to fulfill a request. If you find you are close to missing one, you need to have a process in place for requesting an extension in writing from the patient.
Remember, when patients request their records, you have only 30 days to respond. However, this time can be extended by informing the requesting individual in writing of the reason for this delay and stating on what date you will be providing the requested records. Also, while not yet signed into law, if the currently proposed changes to the Privacy Rule pass, the timeframe will be shortened to 15 days to respond with one possible 15-day extension. So, it is extremely important to be ready with an expedited process for when that happens.
To learn how Nextech’s team of regulatory experts can help your specialty practice with compliance issues, fill out this form and a member of our team will be in touch soon!