Providers Beware: The Office for Civil Rights Is Making an Example of Providers that Fail to Deliver Patient Records

Fennemore Client Alert

Providers Beware: The Office for Civil Rights Is Making an Example of Providers that Fail to Deliver Patient Records

There is a new vigor on the part of regulators to ensure patients have access to their health records. Among the many requirements that were created by the HIPAA Privacy Rule is a patient’s right to access, inspect, and obtain a copy of their health records from a health care provider upon request. Although required under HIPAA, data shows that many providers fail to respond to an individual’s access request within the 30 day requirement. The Department of Health and Human Services has taken aim at these lapses and in 2019 the Office for Civil Rights announced the Right of Access Initiative as an enforcement priority. The RAI is designed to help patients access their medical records in a requested format and in a timely fashion, for a reasonable fee.

The OCR wasted no time making examples of providers that failed to deliver timely access to medical records. Since the RAI was declared, there have been 14 enforcement penalties announced, 10 in 2020 and 1 already in 2021, which was the largest to date. These settlements encompass a wide range of covered entities, ranging from large health care systems to smaller mental health service providers with the settlement amounts varying widely from $3,500 to $200,000. In addition to the monetary settlements, all of the covered entities involved are subject to detailed corrective action plans, which include one to two years of monitoring by the OCR.  All of the investigations that have resulted in settlements were initiated after the individual trying to access the records filed a complaint with OCR.

Considering OCR’s recent interest in enforcement in this space, providers should review and revise their written policies, procedures and other written communications to ensure they support individuals’ access rights in accordance with HIPAA’s requirements. The review should ensure that policies are comprehensive and accurate for record requests responses. Providers should also develop training protocols to ensure that all workforce members tasked with fulfilling patient records requests comply with the Privacy Rule. 

To complicate compliance further, on December 10, 2020 the OCR announced proposed changes to the Privacy Rule. HHS’s Regulatory Sprint to Coordinated Care is designed to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry. Part of the proposed rulemaking would overhaul some aspects of the Privacy Rule and include shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days), clarifying the form and format required for responding to requests for PHI, requiring covered entities to inform patients about their right to obtain or to direct copies of PHI to a third party, and reducing the identity-verification burden on individuals exercising their access rights. While some of these proposals will clarify requirements for providers, the reduced response time for a records request highlights the need for fully vetted and complete policies and training.

Providers are well-advised to take this opportunity to review their internal practices and provide staff training to ensure compliance. These simple tasks may help to prevent a simple oversight from becoming a major compliance investigation, or worse. You should contact an attorney experienced with HIPAA and related healthcare issues to help you establish compliant practices.