April 23, 2021 | By By Rachel Rose, JD, MBA
Early in 2019, the U.S. Department of Health and Human Services – Office for Civil Rights (HHS-OCR) announced the creation of an initiative to target violations of 45 CFR §164.524(b)(2) for not providing an individual with his/her requested protected health information (PHI) within 30 calendar days, unless an extension of up to 30 days is relayed within the initial 30 day period. As stated on the HHS website, “[t]he 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible.” A single extension is permitted per access request.
Before delving into recent OCR enforcement actions, it is important to note that individual states may have shorter periods of time for providing patients with their medical and/or billing records. For example, in Texas, “[t]he requested copies of medical and/or billing records or a summary or narrative of the records shall be furnished by the physician within 15 business days after the date of receipt of the reasonable fees for furnishing the information.” If the request is denied, either in its entirety or partially, then the covered entity must provide a reason for the denial and how the patient can file a complaint with the HHS OCR.
In late March 2021, OCR settled its seventeenth and eighteenth investigations related to its HIPAA Right of Access Initiative. The details follow:
- Seventeenth (Mar. 24, 2021) – OCR announced that Arbour, Inc. d/b/a Arbour Hospital agreed to pay $65,000 and take corrective actions as part of its settlement of potential HIPAA Privacy Rule violations.
- Initially, a patient made a request for his/her medical records in May 2019. In July 2019, OCR received a complaint that the medical records had not been furnished. OCR provided Arbour Hospital with assistance regarding the Right of Access requirements.
- Later in July 2019, OCR received a second complaint indicating that the hospital still had not provided the patient with his/her medical records. Upon further investigation, OCR determined that the medical records had not been provided within the 30 day period (or 60 days with the appropriate extension).
- Eventually, the patient received the medical records from Arbour Hospital in November 2019 – 5 months after the patient’s initial request.
- The takeaway: “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care,” stated Acting OCR Director Robinsue Frohboese.
- Eighteenth (Mar. 26, 2021) – OCR announced that Village Plastic Surgery (“VPS”) agreed to pay $30,000 and take corrective actions as part of its settlement of potential HIPAA Privacy Rule violations.
- A patient made a medical records request in August 2019. In September 2019, a complaint was received by OCR.
- OCR initiated an investigation and determined that VPS had failed to provide patient access to his/her PHI within the prescribed 30 days of receipt (or within 60 days if an extension is applicable).
- Resultantly, the patient was sent his/her requested records by VPS. And, VPS adopted a corrective action plan, which includes two years of monitoring.
- The takeaway: “OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner… Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”
In light of these continued enforcement actions, covered entities cannot ignore that HHS-OCR is focused on patients obtaining their medical records within the prescribed statutory period. From a HIPAA compliance standpoint, this means including Privacy Rule items in annual risk analyses, creating a system to log the date of the request and the due date under state law and the Privacy Rule, and making sure that patients are provided with their information within the requisite timeframes. If an exception exists, then make certain to notify the patient in writing within 30 days to comply with the HIPAA Privacy Rule. Failing to do so has resulted in $30-65K for a single patient’s records not being provided.