On June 2, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the 19th Resolution Agreement in the Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. This initiative seeks to support individuals’ rights under HIPAA to timely access to their health records at a reasonable cost. This initiative has led to settlements with large and small providers alike. In addition to the monetary settlement, the Resolution Agreements each include a corrective action plan and a period of monitoring (generally one to two years).
In this 19th enforcement action, the Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”) from West Virginia paid a $5,000 monetary settlement and agreed to a corrective action plan. This settlement stemmed from a 2019 complaint from a parent seeking access to medical records on behalf of her minor child. HIPAA requires that a covered entity, like DELC, treat a “personal representative” of a patient the same as the patient with regard to the exercise of the right of access. In most cases, a parent will be the personal representative of their minor child. HIPAA requires that a covered entity responds to such a request “no later than 30 days after receipt,” either by fulfilling, denying, or notifying the requestor of a one-time extension of up to 30 days.
A notable nuance in this 19th Right of Access Initiative settlement is the timing of the request and the patient complaint that resulted in the OCR investigation. Per the Resolution Agreement, OCR indicated that the potential noncompliant conduct was a failure to provide timely access to the minor son’s records since July 8, 2019. OCR also indicated that it received the mother’s complaint of failure to provide access to records on August 6, 2019. Ultimately, it does appear that DELC did not provide the parent the requested records until May of 2021, following OCR’s notification of investigation on October 30, 2019. However, the apparent timing of the request versus complaint – barely 30 days – underscores the importance for covered entities of timely response to records requests and clear communication with patients and their personal representatives. There are a number of proactive measures covered entities can take to mitigate the risk of potential noncompliance, which we previously discussed here, such as updating policies, training workforce members, and enforcing compliance with timely response deadlines. Prompt responses will only become more critical if the December 2020 proposed rule is finalized in its current form, which would shorten the timing for response to 15 days.
For more information or assistance in assuring that your organization is in compliance with HIPAA’s right of access requirements, please contact Madison M. Pool or Laura S. Dona.