The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) is cracking down on HIPAA Right of Access violations. After OCR announced the completion of three investigations in its HIPAA Right of Access Initiative, the total number of enforcement actions have risen to 20 this year alone, and 41 since the Initiative’s launch in 2019.
With OCR showing no sign of slowing down enforcement, healthcare providers should take care to make sure they are complying with the Right of Access rule. As a reminder, Right of Access violations include:
1. Not providing access in a timely manner: Providers must release records at a patient’s request within 30 days. If records are not readily accessible, providers may notify patients in writing and request one 30-day extension.
2. Failing to provide access to personal representatives: Patients may request that records be released to them, or to their personal representative – a person designated by the patient or allowed under state law to make healthcare decisions for the patient.
3. Denying access to the patient: Providers may deny access to PHI in very limited circumstances, such as when records have been compiled for a legal proceeding, or if such information may endanger the life or physical safety of a person. However, even if these circumstances apply for some PHI, patients must still have access to the rest of their record.
4. Failing to send records to a third party: Patients may request that a practice send their records directly to another person or entity, including other medical offices, law firms, or social service agencies. Records must be sent in whatever format the patient requests.
5. Not providing access in the requested format: If records are readily producible in a certain format requested by the patient, they must be produced in that format. If not, providers must work with the patient to determine another format agreeable to all parties.
6. Charging excessive fees for producing copies of patient records: For patient requests, providers may only charge a reasonable fee by calculating the cost of allowable labor, supplies and postage. If providers do not calculate actual allowable costs, they may charge a flat fee of up to $6.50. The fee must not include costs associated with storing, verifying, or searching for records. This fee limitation, however, does not apply to requests to release information to third parties.
OCR settlements based on these types of violations have ranged from $3,500 to $160,000, putting a large price tag on non-compliance. To avoid violations, healthcare providers should make sure their staff is fully trained on how to handle record requests, have standard procedures in place, and ensure full compliance with both the Right of Access standards and applicable state laws.
If you have questions or concerns about the HIPAA Right of Access compliance, please do not hesitate to reach out to any member of Gardner Skelton’s employment team.