Subscriber Benefit
As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe Now
By Robert A. Anderson and Alexandria M. Foster
In the era of hospital price transparency, electronic medical record interoperability and prohibitions on information blocking, federal and state authorities are holding providers accountable under various laws regarding accessibility of health information. The Office of Civil Rights under the U.S. Department of Health and Human Services continues to enforce individuals’ rights to access their health information through its Right of Access Initiative. Through its initiative, OCR vigorously enforces individuals’ rights to receive copies of their medical records without facing overcharges.
Since the 2019 launch of its initiative, OCR has brought nearly 20 enforcement actions against providers for failing to comply with the Health Insurance Portability and Accountability Act’s medical record access provisions. Earlier this year, former OCR Director Roger Severino stated, “(O)ur Right of Access Initiative is still going strong … providers of all sizes need to respect the right of patients to have timely access to their medical records.”
HIPAA provides an individual the right to access, inspect and obtain a copy of protected health information about the individual, except for: (i) psychotherapy notes and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding. See 45 CFR § 164.524(a)(1).
HIPAA requires health care providers defined as “covered entities” to respond to a request for access no later than 30 days after receipt of the request. If the covered entity cannot respond to the request within 30 days, the covered entity may extend the response time for an additional 30 days if it provides the individual with a written statement of the reason for the delay and the date by which the covered entity will complete its action on the request. The right to access records extends to parents who seek medical information about their minor children, including unborn children.
Additionally, the covered entity cannot charge more than a reasonable, cost-based fee for the copies of the individual’s medical records. This fee may include labor for copying the requested records, supplies for creating the copies of the records, labor to provide any written summary regarding the records, and postage if the individual requesting the records has requested receipt of the records by mail. Any charges imposed for medical records must also comply with applicable state law.
The majority of OCR’s settlements have generally involved fairly egregious violations of patients’ rights to access under HIPAA. Many of the settlements involve repeated denials of access for the same patient records or indefensible delays in responding. In its most recent enforcement action, OCR entered into a settlement with the Diabetes, Endocrinology & Lipidology Center Inc. for failing to provide a parent a copy of her child’s medical records. OCR’s investigation revealed DELC acted upon the request nearly two years after the parent’s request. Consequently, DELC must undergo a corrective action plan and two years of monitoring, along with paying a $5,000 fine to OCR. OCR’s Acting Director Robinsue Frohboese stated, “Covered entities owe it to their patients to provide timely access to medical records.”
OCR has imposed even harsher fines on hospitals and health systems. For example, OCR fined St. Joseph’s Hospital and Medical Center $160,000 to settle potential violations of HIPAA’s right of access provision. Through its investigation, OCR discovered SJHMC did not respond to a parent’s request for a copy of her son’s medical records, despite the parent following up with SJHMC on multiple occasions. Although SJHMC provided the parent with some of the requested records, SJHMC ultimately did not fulfill its requirements under HIPAA.
In another investigation, Riverside Psychiatric Medical Group argued it was not required to produce requested patient records because the records contained psychotherapy notes. As a result, OCR clarified that while providers are not required to produce psychotherapy notes, they must provide patients with a written explanation to accompany any denial of records, and the remaining records that the patient may access under HIPAA.
While providers must be aware of patients’ rights of access under HIPAA, they must also understand the circumstances in which restricting access to records may be required. Providers should enter their notes understanding the patient will be able to view them if requested, except for narrow exceptions.
Providers should have written patient access policies in place and should inform their staff on responding to medical records requests. They should also conduct regular HIPAA training. Compliance with HIPAA can ultimately enhance patient relationships, help avoid sanctions from OCR and prevent providers from incurring unnecessary and costly penalties.•
• Robert A. Anderson is a partner and Alexandria M. Foster is an associate at Krieg DeVault LLP. Opinions expressed are those of the authors.
Please enable JavaScript to view this content.