On July 15, 2022, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released 11 enforcement actions under its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative (Initiative).[i] These new enforcement actions follow two issued on March 28, 2022, bringing the total number of enforcement actions under the Initiative to 38 since the Initiative began in 2019.
The Initiative and the Access Requirement
Concerned that covered entities, including health care providers and health plans, were failing to provide timely access to health information to individuals and their personal representatives and were overcharging for such access,[ii] OCR launched the Initiative. Covered entities, and business associates that assist with the provision of health information access, must ensure that they are following the access requirements of the HIPAA Privacy Rule.
Except for information in psychotherapy notes or compiled in anticipation of civil, criminal or administrative litigation,[iii] the Privacy Rule requires that a covered entity provide a patient or their personal representative access to inspect and obtain a copy of the protected health information (PHI) held in a designated record set.[iv] The Privacy Rule permits covered entities to deny access requests under certain circumstances, such as to PHI created or obtained in the course of research while the research is in progress, if the individual was so informed when they consented to the research.[v] A covered entity also may deny access if a licensed health care professional determines, in the exercise of their professional judgment, that the access requested is reasonably likely to endanger the life or safety of the requesting individual or another person or, in limited circumstances involving personal representatives or PHI that references others, is reasonably likely to cause substantial harm.[vi] Denials are either reviewable or non-reviewable; if reviewable, the covered entity must provide the individual with the opportunity to have the denial reviewed by a licensed health care professional who did not participate in the denial determination and who the covered entity designates as its “reviewing official.”[vii]
With respect to timing, a covered entity must act on a request for access no later than 30 days after its receipt of the request.[viii] OCR notes in its guidance that the 30-day requirement is an “outer limit” and encourages covered entities to respond to individuals as soon as possible,[ix] which is consistent with the 21st Century Cures Act’s regulations that implement the prohibition on information blocking.[x] If the covered entity grants the access request, it must inform the individual and provide access; if it denies the request, it must provide the individual with a written denial.[xi] If the covered entity is not able to provide or deny access within 30 days, it may take advantage of one extension of up to 30 days, provided that it notifies the individual within the initial 30-day period of both the reasons for the delay and the expected date on which the covered entity will act on the request.[xii]
The Privacy Rule limits a covered entity to charging only a reasonable, cost-based fee for the copy of the PHI.[xiii] Covered entities should note that applicable state law may specify precise amounts or place additional limitations on the fees that a covered entity may charge a patient. For example, New York does not permit denying medical record access to “qualified persons,” those permitted under state law to receive access to the records, solely based on an inability to pay the permitted fees.[xiv] Failure to comply with state laws can subject an entity to state-level enforcement parallel to OCR enforcement.
OCR Enforcement Trends and Lessons Learned
The latest round of enforcement actions involves a broad range of health care providers, from physician practices[xv] to a skilled nursing and rehabilitation facility[xvi] to a large health system.[xvii] OCR imposed resolution amounts and civil money penalties (CMPs) ranging from $3,500[xviii] to $240,000.[xix] In addition to the financial impact, with the exception of one organization that was assessed a CMP, each other 2022 settlement thus far has required the organization to enter into either a one- or two-year corrective action plan (CAP), or, in one case, other negotiated follow-up actions. It is important for HIPAA covered entities to consider the time and expense involved in complying with a CAP; a financial payment may be the least costly aspect of enforcement under the Initiative.
The 2022 Initiative enforcement actions provide a roadmap for how health care providers and health plans can ensure compliance with the right of access requirements. Some of the trends gleaned from OCR’s investigations and 2022 settlements show continued focus on conduct highlighted in prior enforcement actions, while others illustrate additional areas where HIPAA covered entities should ensure right of access compliance.
Several enforcement actions resulted from “multiple complaint” scenarios.
Several of the enforcement actions released thus far in 2022 involved scenarios where the individual complained to OCR about the lack of access more than one time. For example, a physician practice entered into a $20,000 settlement for a right of access violation following two complaints to OCR from the same patient.[xx] One lesson gleaned from such a scenario is to ensure that an organization has a clear channel of communication with those requesting access, and a process in place to address complaints received by the health care provider prior to an issue escalating to a complaint to OCR. While it may not always be possible to avoid patient outreach to OCR, keeping patients informed as to where an access request stands, whether there are any issues, such as identity validation, that can be addressed, and clear communication of any denials or partial denials may serve to maintain good patient relations and allow for issues to be resolved at the provider level.
Several enforcement actions resulted from “multiple request” scenarios.
The 2022 enforcement actions to date reflect multiple scenarios where individuals made more than one request to the health care provider for access to PHI. For example, OCR settled with a psychiatric practice who failed to respond to annual requests by a patient for a copy of her medical records. The practice ultimately required the patient to complete its record request form in person, imposed a flat fee that was not cost-based and initially provided only one of the 11 pages requested by the patient. In addition to determining that the practice failed to comply with the access requirements, including those regarding the payment of fees, OCR also found that the practice failed to implement policies and procedures, did not have a designated privacy official and did not have a compliant notice of privacy practices.[xxi] This enforcement action should serve as a warning to covered entities that HIPAA noncompliance, including violations of the right of access requirement, open the organization up to a deeper review of its HIPAA compliance program. HIPAA covered entities and business associates should take the time to review their compliance plan, and the procedures and training used to implement the same, prior to a complaint to OCR or an investigation.
In another settlement, a physician practice failed to respond to three written access requests from a patient. The practice explained to OCR that its failure was due to a former workforce member’s misunderstanding of the HIPAA right of access requirements.[xxii] A scenario like this emphasizes the need for an entity to go beyond the basic “module” HIPAA training, and implement a comprehensive training program that guides individuals through the HIPAA requirements related to their role, the entity’s policies and procedures related to the provision of access and the denial of access and, importantly, the avenues a workforce member can use to seek out assistance with verifying a requestor’s identity, analyzing whether the provision of full or partial access is permissible, and addressing any requests for reviews of denials or patient complaints.
Failure to cooperate with OCR may increase the likelihood of a financial settlement or CMP.
Consistent with previous enforcement actions, OCR’s recent settlements indicate that entities have a better chance of avoiding CMPs and financial settlements if they cooperate with OCR investigations. One enforcement action detailed that, following the complaint from a former patient regarding the failure to provide access to his medical records, OCR provided the practice with written technical assistance on right of access compliance and subsequently closed its investigation. Following a second complaint from the same individual, OCR re-opened the investigation. When the practice did not respond to multiple OCR requests for information, nor to a Letter of Opportunity and Notice of a Proposed Determination, OCR imposed a $100,000 CMP.[xxiii]
Similarly, in an enforcement action issued in March, OCR notified a dental practice that it found preliminary indications of noncompliance with the right of access requirement for the practice’s failure to provide a patient with a copy of her record. While OCR provided the opportunity for the practice to submit mitigating factors, an affirmative defense or evidence supporting a CMP waiver, the practice failed to respond. OCR notified the practice of its intent to impose a CMP of $104,000, which prompted the practice to request an administrative law judge hearing, with the parties eventually settling for a financial settlement of $30,000 and requirements for the practice to update its access processes, policies and training.[xxiv]
These types of enforcement actions highlight the importance of taking advantage of opportunities that OCR presents. If OCR provides technical assistance, a health care facility should follow its directives to the letter. If OCR has found a compliance issue and offers an opportunity to provide mitigating factors, the covered entity should do what it can to explain what happened, why it happened, and specifics about the organization that may mitigate a penalty. Finally, to try to prevent an unintentional lack of response to OCR, organizations should have a process for intake of OCR outreach, as well as training that details that process to ensure workforce awareness.
OCR is focused on the length of the delay to furnish access.
In a few of the recent settlements, OCR specifically highlights the length of time it took the covered entity to provide the requested access, citing the 618 days it took a pediatric practice to provide an incomplete copy of the requested records,[xxv] and the 564 days it took a health system to provide an itemized billing statement.[xxvi] Health care providers and health plans should ensure that they have an efficient, streamlined process in place to intake access requests, review and process such requests, and provide timely access or denials.
Nonpayment of fees is not a proper rationale for access denial.
In addition to failing to respond to an access request in a timely manner, OCR found that a psychiatric practice withheld access on the basis that the patient owed money to the practice.[xxvii] As discussed above, a health care provider has limited scenarios in which it may deny access, and outstanding receivables is not one. HIPAA covered entities should have a concrete understanding on when access must be provided and when it may be denied. Developing an access response team of designated individuals to vet requests where it is not clear whether access may be provided establishes a clear pathway for workforce members who process requests, inquiries and complaints and run into issues.
Enforcement Trends = Compliance Roadmap
The 2022 OCR enforcement actions to date provide HIPAA covered entities, as well as the business associates who assist them in fulfilling access requests, with a roadmap to compliance. HIPAA-regulated entities should review their existing compliance plans to confirm that their policies and procedures surrounding the right of access comport with the legal requirements. They also should ensure that they have straightforward, comprehensive guidance for their workforce and vendors, so that access requests can be analyzed and processed in an efficient manner, and issues can be raised to the appropriate party with the intent to secure a timely, compliant resolution.
Originally published by the American Health Law Association. Copyright 2022, American Health Law Association, Washington, DC. Reprint permission granted.
The author wishes to acknowledge the contributions of Emma Schultz, Loyola University Chicago School of Law, J.D. candidate, 2023.
[i] Press Release, U.S. Dep’t of Health & Hum. Servs. Office for Civil Rights, Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA (July 15, 2022), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/july-2022-hipaa-enforcement/index.html.
[ii] See OCR Issues Audit Report on Health Care Industry Compliance with the HIPAA Rules, https://public3.pagefreezer.com/browse/HHS.gov/31-12-2020T08:51/https:/www.hhs.gov/about/news/2020/12/17/ocr-issues-audit-report-health-care-industry-compliance-hipaa-rules.html.
[iii] 45 C.F.R. § 164.524(a)(1).
[iv] 45 C.F.R. § 164.524(a)(1). It is important to note that the access requirement does not extend to information that falls outside of the designated record set, such as quality assessment or improvement information, patient safety activity records or business planning or management information.
[v] 45 C.F.R. § 164.524(a)(2)(iii).
[vi] 45 C.F.R. § 164.524(a)(3)(ii).
[vii] 45 C.F.R. § 164.524(a)(4).
[viii] 45 C.F.R. § 164.524(b)(2)(i).
[ix] See Individuals’ Right under HIPAA to Access their Health Information, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
[x] See 45 C.F.R. pt. 171.
[xi] 45 C.F.R. § 164.524(b)(2)(i).
[xii] 45 C.F.R. § 164.524(b)(2)(ii).
[xiii] 45 C.F.R. § 164.524(c)(4).
[xiv] N.Y. PBH Law § 18(2)(e).
[xv] See Southwest Surgical Associates (SWSA) Resolution Agreement, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/southwest-surgical-ra-cap/index.html.
[xvi] See Hillcrest Nursing and Rehabilitation Resolution Agreement and Corrective Action Plan, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hillcrest-ra-cap/index.html.
[xvii] See Resolution Agreement in the Matter of the United States Department of Health and Human Services, Office for Civil Rights, Transaction No. 20-396202, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/memorial-hermann-roa-ra-cap/index.html (“Memorial Hermann”).
[xviii]See Danbury Psychiatric Consultants (DPC) Resolution Agreement and Corrective Action Plan, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/danbury-ra-cap/index.html (“Danbury”).
[xix] See Memorial Hermann.
[xx] See Coastal Ear, Nose & Throat, P.A. Resolution Agreement and Corrective Action Plan, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/coastal-ent-ra-cap/index.html.
[xxi] See Jacob and Associates Resolution Agreement, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/jacob-associates/index.html.
[xxii] See Fallbrook Family Health Center Resolution Agreement and Corrective Action Plan, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/fallbrook-ra-cap/index.html.
[xxiii] See ACPM Podiatry Notice of Final Determination, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/acpm-nfd/index.html (“ACPM”).
[xxiv] See Donald B. Brockley, D.M.D. Settlement Agreement, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/brockley/index.html
[xxv] See ACPM.
[xxvi] See Memorial Hermann.
[xxvii] See Danbury.