Avoiding HIPAA Right of Access Fines and Penalties - Enforcement Actions are Closer Than You Think

Recommendations to help a practice from running afoul of the Right of Access requirements.

The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services recently announced that St. Joseph’s Hospital and Medical Center in Phoenix agreed to pay $160,000 to settle an enforcement action alleging violation of the Health Insurance Portability and Accountability Act (“HIPAA”) Right of Access Rule.1 In a nutshell, this Rule requires that when a patient or patient representative requests medical or billing records, the health care entity must provide a complete copy within 30 days in any “readily producible” format specified by the patient for a “reasonable, cost-based fee.”2 OCR launched its HIPAA Right of Access Initiative in 2019 to vigorously enforce patients’ right to promptly access their medical records in the readily producible format of their choice, without being overcharged.3 As of November 19, 2020, OCR has settled twelve of these enforcement actions, summarized in the table below. According to OCR, “enforcement actions are designed to send a message to the health care industry about the importance and necessity of compliance with the HIPAA Rules.”4 In all cases, the health care entity allegedly failed to timely provide a complete copy of medical records despite repeated requests by a patient or personal representative. The patients or representatives waited months, and sometimes years, to finally receive the records they requested. In addition to monetary settlements,5 all the health care entities agreed to a corrective action plan and one or two years of monitoring.

Recent HIPAA Right of Access Enforcement Actions Settled 

MicrosoftTeams-image (18)

Risk Management Strategies

A sound and comprehensive HIPAA compliance plan, and the following tips, may prevent physicians and practices from running afoul of the Right of Access requirements.

    • With limited exceptions, patients and their personal representatives have a broad right to timely access their protected health information (“PHI”) contained in the practice’s designated record sets ("DRS").18 To ensure that practice staff who field patient requests for records understand and consistently comply this requirement, provide HIPAA education and training emphasizing the following:
      • DRS is a group of records that includes medical and billing records and other records used by the physician or practice to make decisions about the patient.19
      • In Arizona, the patient or personal representative must submit the request in writing.20

      • In Utah, the patient or personal representative may submit the request either orally or in writing, but the practice may require a written request provided it advises patients of this requirement.21
      • The physician or practice MUST act on the request within 30 days of receipt.22

      • If the physician or practice cannot provide access within 30 days, inform the patient or representative in writing and provide a date the records will be available. HIPAA permits only one 30 day extension.23
      • The physician or practice must provide the PHI in the form and format requested (paper, electronic, specific electronic format), if the practice is capable of readily producing it in that form or format. Otherwise, the physician or practice must attempt to reach agreement with the patient on an alternative format that the practice is capable of producing.24

      • Patients and personal representatives are entitled to request in writing that the PHI be sent to a third party.

      • Do not take comfort in the fact the physician or practice is small, rural, or not affiliated with a hospital or health system. As the table above demonstrates, OCR is investigating offices and practices of all sizes, specialties, types, and affiliations.25

To see footnotes, click HERE.

The content of this publication or presentation is intended for educational purposes only; is not an official position statement of Mutual Insurance Company of Arizona (MICA); and should not be considered or relied upon as professional, medical, or legal advice or as a substitute for your professional judgment. Consult your attorney about your individual situation and the applicable laws. The authors, presenters, and editors made a reasonable effort to ensure the accuracy of the information at the time of publication or presentation but do not warrant or guarantee accuracy, completeness, or currency of such information. As medical and legal information is constantly changing and evolving, check for updated information and consult your attorney before making decisions.

Similar posts

Subscribe to Our Monthly Newsletter, MICA Insider 

Sign up to receive new articles, free resources, and industry updates relevant to running an independent medical practice.