Recently, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced three more resolution agreements settling alleged violations of the HIPAA right of access. These agreements bring OCR’s total enforcement actions under its HIPAA Right of Access Initiative (“Initiative”) to 41 since OCR began the Initiative three years ago, as “part of a collective effort . . . to drive compliance on right of access under the law.”
The pace and number of OCR’s enforcement actions under the Initiative illustrates its continued focus on ensuring patients’ rights to timely access their health records under the HIPAA Privacy Rule (i.e., generally within 30 days). These most recent enforcement actions were between HHS and three different dental practices and involved penalties ranging from $25,000 to $80,000 and the requirement to implement corrective action plans. In OCR’s press release, OCR Director Melanie Fontes Rainer stated that these recent actions “send an important message to dental practices of all sizes . . . to ensure they are following the law.”
Notably, in all three cases, OCR’s investigation was triggered by complaints alleging that the dental practices had failed to comply with the HIPAA right of access requirements in varying degrees. While the foundation of the right of access provision is to ensure that patients (or their representatives) are given timely access to their medical records, these recent cases underscore the importance of other aspects of the law, such as ensuring timely access to a complete copy of the requested records and that any fees assessed for production are both reasonable and cost based.
For all healthcare providers, not just dentists, these recent resolution agreements also give insight into OCR’s enforcement priorities and highlight some notable points:
- Timeliness and completeness of responses are critical components of compliance with the right of access. Although HIPAA provides certain exceptions to the right of access, there is a clear requirement to respond within 30 days of the request (either granting, denying, or, in limited circumstances, delaying response to the request). Further, a patient has a right to all information about them maintained in the “designated record set” by the provider; they are permitted to request any part of it, and a provider must give access or copies of those records unless an exception applies. Providers who fail to timely or completely respond to a patient request risk non-compliance with the HIPAA regulations.
- Limiting fees charged for copies to those that are compliant with the HIPAA regulations is another important part of compliance. Patients may only be charged a “reasonable, cost-based fee,” and overcharging can result in liability for providers under HIPAA.
- The rights of parents to exercise the right of access on behalf of their minor children is another area where providers should be mindful. In most instances, parents will be the “personal representative” of their children under HIPAA, and thus HIPAA will treat a parent the same as the child in the application of the right of access to the child’s records. Providers should implement policies and train their staff to know when and how to navigate issues of parental authority in requests for access to records.
OCR continues to place importance on protecting the right of patients to access their medical information under HIPAA. Clear policies, routine training, and internal auditing are all elements of a functioning HIPAA compliance program. Covered entities and their business associates should review their own approaches to patient access and information security to identify any gaps that may exist in their organizations. To the extent such are identified, organizations should take corrective actions and implement mitigation measures. For more information, or for assistance evaluating your organization’s HIPAA compliance or responding to incidents that may arise, please contact AGG Healthcare attorneys Lanchi Bombalier or Madison Pool.