Citing its “Right of Access Initiative,” on September 9, 2019, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that a hospital in Florida (the “Hospital”) will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) by paying a civil penalty of $85,000 and adopting a corrective action plan.

Per OCR’s investigation, a patient complained to OCR that it had been almost a year since she requested her child’s fetal heart monitoring records. The patient’s access requests included:

  1. A request by the patient on October 18, 2017 for the records. The Hospital replied the records could not be found.
  2. A request made through the patient’s counsel on January 2, 2018 and February 12, 2018, to which the Hospital provided an incomplete record on March 2018 and then a complete response on August 23, 2018.
  3. Following the OCR investigation, the Hospital provided the fetal heart monitor records to the patient on February 7, 2019.

Under HIPAA, patients have a right to access their “designated record set” from their provider, which includes medical and billing records maintained by or for a covered health care provider; enrollment, payment, claims adjudication and case or medical management record systems maintained by or for a health plan; and any information used by or for a covered entity to make health care decisions about individuals. Fetal monitoring strips that are part of a patient’s medical record, and therefore part of the designated record set, must be produced in a timely manner upon request. More and more frequently, such strips are electronic and are automatically integrated into the electronic health record, making it easier for health care providers to produce them.

When the patient is a minor, the parent or guardian generally has the right of access to the minor’s records, unless the minor is permitted to give consent to services independently, subject to state law. A third party, such as counsel, may also be authorized to exercise the patient’s right of access.

Under HIPAA, a response to a patient’s request for access to records should be provided within 30 days; however, one 30-day extension is permitted if the patient is notified in writing of the reason for the delay and provided the date by which the covered entity will respond to the request. State law may provide a shorter response time, thus, covered entities should be aware of their state requirements for a patient’s right of access.

The corrective action plan includes: 1) developing policies and procedures related to access and the designated record set; 2) providing to HHS a list of the names of the Hospital’s business associates that play a part in fulfilling access requests; and 3) training. OCR will be monitoring the Hospital for one year.

Practical Takeaways

Covered entities should take note of OCR’s “Right of Access Initiative” and ensure they are meeting their obligations under HIPAA. Key takeaways include:

  • It is critical to have a clearly defined designated record set, which includes a clearly defined legal medical record, combined with a document management policy. The document management policy should define what records are maintained for what purpose; for how long; when they are destroyed and how; and then actually comply with all of the foregoing. As technological advances lead to a greater volume of data collected on each patient, it is important to identify the data that must be included in the patient’s designated record set. This should be done on a regular basis.
  • Covered entities and any business associates responsible for responding to access requests on behalf of a covered entity must train staff to properly identify and respond timely to access requests. Most Health Information Management departments receive a large volume of requests from patients and other parties. Determining when a request is a true HIPAA access request is sometimes difficult, and policies and procedures, as well as training can help mitigate the risk of mismanaging an access request.
  • If covered entities decide to outsource the Health Information Management function of responding to requests for information, they must ensure that these vendors sign a business associate agreement. Further, they should ensure that the vendors are trained to adhere to the covered entity’s access request policy and to accurately identify and respond timely to access request. Covered entities should ensure risk is fairly allocated between the parties in the business associate agreement or underlying services agreement in the event a business associate fails to comply with its contractual or HIPAA obligations.
  • Covered entities and business associates must also be aware of the limitation on fees related to HIPAA access request. Under HIPAA, an individual who has requested a copy of their records may not be charged more than a reasonable, cost-based fee for the copy that covers only certain labor, supply and postage costs that may apply in fulfilling the request.