The Health and Human Services has fined yet another healthcare provider for refusing to release medical records when requested by the patient. This is the tenth enforcement action of this type by the HHS this year. Last month, HHS imposed two fines of more than $100,000 for similar violations. SJHMC paid $160,000 and NY Spine paid a penalty of $100,000 for violating the patient’s right to access medical records.
The HIPAA Privacy rule gives people a legal, enforceable right to access their medical records that are stored with providers and plans. People also have the right to receive a copy of their records upon request.
Under the law, if a doctor or plan does not fulfill a patient’s request, the patient can file a complaint with the HHS. The department gives enforcement priority to such complaints.
Know when you can refuse to release medical records
At the same time, HIPAA gives entities the authority to refuse the access as well. Even so, there are procedures that the provider needs to follow. With this in mind, let’s look at the latest HIPAA enforcement action.
Last week, the HHS took its 10th enforcement action against a provider who refused to release medical records of a patient. As per the press brief, Riverside Psychiatric Medical Group, a group practice in Riverside, California would be paying $25,000 as penalty for the violation. RPMG also needs to resolve the problems exposed by the HHS investigation.
The HHS investigation was the result of several complaints by an RPMG patient. The patient complained that the provider was not sharing her medical records with her.
Upon receiving the first complaint, the HHS reached out to RPMG, and helped it to sort out the problems hindering it from sharing the records.
In spite of the help, RPMG failed to respond to the patient request again. The patient, then, filed a second complaint against RPMG. This complaint, in turn, led to the HHS investigation.
The investigation determined that RPMG was violating HIPAA by not sharing the PHI with the requester.
In RPMG’s defense, it claimed that the requested records included psychotherapy notes. So, they did not have to comply with the patient request.
Circumstances when you can refuse to release medical records
To clarify the RPMG’s position, as per HIPAA guidance on the matter of 45 CFR 164.524, or Access of individuals to PHI, a covered entity can refuse requests for protected health information under certain circumstances.
To put them briefly, a healthcare provider can refuse access if –
- The request is for psychotherapy notes.
- The person is asking for the set of information compiled for legal purposes.
- The request is by a prison inmate, and fulfilling the request could compromise the custody, health, rehabilitation, safety, or security of the inmate or other people.
- The request is for records that are a part of an ongoing research study.
- The requested records are considered as protected records under the Privacy Act.
- The PHI was obtained under a promise of confidentiality.
- The requested PHI might endanger the life or safety of the person or other people.
- The disclosure might harm a person referenced in the PHI.
- The request is by a personal representative of the patient, and the disclosure might cause harm to the patient or someone else.
But, some of these circumstances are considered as reviewable grounds for denial. Patients can request for a review of the denial under these conditions. The reviewing official needs to review-
- If the disclosure might endanger the life or safety of people.
- If the disclosure might harm a person referenced in the records.
Except for these circumstances, others are considered as unreviewable grounds of denial. Covered entities can refuse to release medical records under the circumstances.
Important steps to take when refusing to release medical records
Even so, the healthcare provider needs to provide the denial in writing to the requester. This should happen within 30 days of receiving the request. The letter should explain the grounds of denial, and how they can submit a complaint against the decision to the HHS.
Along with this, if the grounds of denial are reviewable, then the requester needs to be informed of the same.
RPMG failed to follow this procedure. The patient did not receive the denial in writing. Besides this, RPMG did not give her access to any of her PHI.
Under HIPAA, you need to respond to patient requests in a timely fashion. If there is ground for refusing to release medical records, then exclude them, and disclose the rest of the records.
RPMG didn’t do that either. They should have shared the requested records, excluding the psychotherapy notes.
By the same token, the complexity to segregate the two PHI shouldn’t hinder the covered entity from fulfilling the request either. They can always extend the 30-day window to 60 days, but they need to notify the requester about the delay.
Under the corrective action plan, RPMG needs to review and revise their policies and procedures that relate to CFR 164.524 (Access of individuals to protected health information). The changes should ensure a timely response to all requests, including those for which they have a ground for denial.
Moreover, RPM needs to train its workforce as well. It must ensure that everyone is trained in handling requests for PHI. The training should cover relevant HIPAA provisions and related company policies and procedures. RPMG also needs to keep a record of the training completion certificates.
Errors to avoid when refusing to release medical records
Regarding the right to access initiative, this enforcement is the 10th such action by the HHS. Others resulted from the following behaviors by the covered entities.
- The provider gave only some of the documents requested by the patient.
- The personal representative put many requests, but the covered entity did not comply.
- The provider did not fulfill the patient’s request to share medical records with a third-party.
- Requests were not fulfilled in a timely fashion.
- The requester was charged an unreasonable fee against the request.
- The provider refused to give a copy of the PHI
- The requester wasn’t allowed to inspect her records.
That said, non-compliance can lead to extremely steep penalties. For instance, Korunda Medical was fined $85,000 for failing to send medical records to a third party in a timely fashion. Similarly, SJHMC paid a penalty of $160,000 for not sharing medical records with the personal representative of a patient.
Likewise, the majority of the corrective action plans show that the providers did not have proper policies and procedures in place. Besides this, the staff were in need of training as well.
With this in mind, compliance officers should review their compliance training programs. HIPAA Awareness sessions are good educational tools, but holding in-depth training is important as well; workers should know when they can refuse access to medical records and when they cannot.
What are your views about the HIPAA right to access provision? How do you handle patient requests for PHI? If you have tips on how our readers can improve their HIPAA right to access processes, do share them in the comments below.