This week the Office of Civil Rights settled five cases of HIPAA Right of access violations. All the five providers have agreed to pay penalties and implement a corrective action plan under OCR supervision.
Here’s the list of the five HIPAA settlements declared this week by the OCR.
- Housing Works – $38,000
- All Inclusive Medical Services (AIMS)- $15,000
- Beth Israel Lahey Health Behavioral Services (BILHBS) – $70,000
- King MD – $3,500
- Wise Psychiatry – $10,000
The OCR enforcement actions are being seen as a direct message from the OCR to the healthcare community about the importance of the HIPAA Right of access provision.
As per OCR Director Roger Severino, “Patients can’t take charge of their health care decisions, without timely access to their own medical information.”
Early 2019, the office for civil rights (OCR) announced the HIPAA Right of access initiative. Under this initiative, the OCR is vigorously enforcing the rights of patients to get access to their medical records promptly, without being overcharged, and in a readily producible format.
Mid 2019, a study revealed that nearly 51% of providers fail to comply with the HIPAA Right of access provision. Most providers failed to provide the requested information within 30 days.
Of the five providers penalized this week, AIMS, King MD and Wise Psychiatry were investigated after receiving complaints that the providers weren’t allowing patients to access their PHI. BILHBS was investigated upon a complaint that the provider failed to respond in a timely manner.
What is HIPAA Right of Access provision?
The HIPAA privacy rule provides individuals with a legal enforceable right to see and receive a copy of the information in their medical and health records maintained by their healthcare providers and health plans. This includes the right to inspect or obtain a copy of their PHI, as well as to direct the covered entity to transmit a copy to another person or entity of the individual’s choice.
A covered entity cannot deny an individual’s request, except for certain limited circumstances. And, they must respond to the request as soon as possible.
The permissible time limit for fulfilling a request is 30 days. A covered entity can extend this time by another 30 days, but only if it provides the patient with the reason for the delay. This should be in writing. All requests must be fulfilled within 60 days.
What information can be disclosed?
Once a covered entity receives a request for PHI access, they need to check if the requested information can be disclosed. The list of PHI that can be disclosed under the Right of access provision is huge.
Patients can request for information such as –
- Medical records
- Billing and payment records
- Insurance information
- Clinical and laboratory test results
- Wellness and disease management program files
- Medical images, such as X-rays
- Clinical notes
This information is labeled as ‘designated record set’ and is used to make decisions about the patient. Patients can request for any information that belongs to the designated record set.
The right to access PHI does not apply to information that’s not a part of the designated record set.
Two sets of information are explicitly excluded from the right of access.
- Psychotherapy notes
- Information compiled for use in legal proceedings
The Privacy rule also defines certain circumstances under which a covered entity can deny a person’s request for access to PHI. These circumstances include –
- The request is for a patient’s psychotherapy notes
- The request is for information compiled for use in legal proceedings
- A request for a copy of PHI by an inmate
- If the requested PHI is a part of an ongoing research study
- If the requested PHI is subjected to the Privacy Act
- If the requested PHI was received under a promise of confidentiality
The above circumstances are considered as unreviewable grounds for denial.
In certain cases, a person can ask you to review your decision to deny access. The reviewable grounds for denial are –
- The access could endanger the life or safety of the patient or another person
- The access could cause substantial harm to a person mentioned in the PHI
- The request is from a patient’s personal representative, and giving access might harm the patient
Except for the scenarios listed above, a covered entity cannot deny access to medical records to a patient. Such a denial would count as HIPAA violation.
Your process for filing requests for PHI should be simple and fast. The 30-day limit is for cases in which retrieving the requested PHI would take time, such as laboratory test results that aren’t available yet, or records that were archived long ago. If the use of technology can reduce the timeline, you should go for it.
Do not use unreasonable measures that could create barriers or delay the disclosure. Your process of requesting access and verification should not cause unnecessary hassle to the patient. Give patients multiple options for requesting access, if need be.
If a patient has requested for PHI in an electronic form, and if it isn’t readily producible in that format, let the patient know. If you can provide the information immediately in the paper format, suggest the option, and upon agreement, deliver the information.
Allowing people quick access to their PHI isn’t just about following HIPAA. With today’s technology, such access could transform patient care. It could help patients monitor their own health condition, leading to better health outcomes. Patients can take control of their health insurance and treatment plans, lowering their healthcare costs.
Nonetheless, allowing people access to their PHI is the law. And with OCR set upon enforcing the HIPAA Right of access provision strictly, the message is clear – providers need to take requests for PHI access seriously.
Do you deal with patient requests for your practice? We’d like to hear your comments on the HIPAA Right of access provision. What are the hurdles that you face in providing PHI access to patients? Why does the actual process consume so much time?