On November 30, 2021, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services released five more enforcement actions under its HIPAA Right of Access Initiative (the Initiative). The Initiative is intended to ensure that individuals receive timely access to their health information at a reasonable cost. Since the Initiative was announced in 2019, these settlements — which involve healthcare providers of all types and sizes — bring the total number of Initiative enforcement actions to 25.
Subject to limited exceptions, the HIPAA Privacy Rule requires that a covered entity afford a patient, or the patient’s personal representative, access to inspect and obtain a copy of the patient’s protected health information (PHI). The covered entity must act on a request for access no later than 30 days after its receipt of the request, with the ability to extend its response time for up to 30 days with notification to the individual. The covered entity is limited to charging only a reasonable, cost-based fee for the copy of the PHI, and any fee also must comply with applicable state law requirements.
The recent enforcement efforts include two of the higher financial penalties of the Initiative’s enforcement actions: a financial settlement of $160,000 with Rainrock Treatment Center, LLC (d/b/a Monte Nido Rainrock) and a civil money penalty of $100,000 with Dr. Robert Glaser. Three of the enforcement actions require the covered entities to adhere to two-year corrective action plans (CAPs) and one requires a one-year CAP.
These enforcement actions also continue trends seen in the Initiative’s prior enforcement. For example:
- Organizations of all types and all sizes are struggling with the right of access requirement. The enforcement actions under the Initiative highlight that challenges complying with the right of access requirement are not unique to small providers or certain types of clinical entities. The recent five enforcement actions involve both a solo practitioner and larger clinical practices, including a multi-site provider.
- Entities being investigated by OCR should cooperate with such investigations. A major theme in the Initiative enforcement actions is that OCR often reached out to the entity and provided technical assistance, but several entities did not, or did not fully, implement the guidance from OCR. This is seen acutely in the enforcement action against Dr. Glaser, because OCR advised his practice in 2017 to evaluate a patient’s request for access and to provide access if the patient’s requests complied with the HIPAA access requirements. After OCR received a second complaint from the same patient in 2018, OCR opened an investigation and requested information from the practice. After repeated outreach, OCR issued a civil money penalty for violating the right to access requirement when the practice failed to provide the requested information. Covered entities should take advantage of any technical assistance offered by OCR to ensure that they are providing appropriate medical record access to individuals; doing so may prevent an enforcement action or lessen a financial settlement or the length or terms of a CAP.
- Covered entities should ensure that they have enacted compliant policies and procedures addressing the HIPAA right of access requirements. In the recent enforcement action against the Denver Retina Center, an ophthalmological services provider, OCR determined that the practice not only did not provide a patient with access to their records, but also did not have compliant policies and procedures for the HIPAA right of access, leading to a financial settlement of $30,000 and a two-year CAP. In its investigation of a right of access complaint against the Wake Health Medical Center, a primary care medical group, OCR discovered that the practice charged a flat fee for medical record copies, regardless of the size of the records. The two-year CAP requires Wake Health to revises its policies and procedures to identify methods for calculating a reasonable, cost-based fee for medical record copies.
These recent enforcement actions emphasize not only that covered entities should have a process in place to respond to access requests in a compliant manner, but it is also important to ensure that their workforces are trained to understand patients’ access rights and the covered entity’s obligations for the same.
These latest five enforcement actions under the Initiative also emphasize that healthcare providers must continue to take their obligations to provide patients with timely access to PHI and limit costs for such access as required by HIPAA and state law.