A recent report from Ciitizen, a patients’ rights advocacy group, has revealed more than half of healthcare providers (51%) are not fully compliant with the HIPAA Right of Access provision under the HIPAA Privacy Rule. Acting with authorization from patients, Ciitizen made requests for copies of patient records from 169 medical providers. The results indicate widespread HIPAA Right of Access compliance.
What is HIPAA Right of Access Noncompliance?
HIPAA Right of Access noncompliance consists of a failure to allow individuals to exercise the right to inspect or copy their medical records.
The HIPAA Privacy Rule generally requires HIPAA covered entities (health plans and most healthcare providers) to provide individuals, upon request, with access to the protected health information (PHI) about them.
PHI is defined as individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, transmitted, or maintained by a HIPAA covered entity, in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.
This rule granting the right to inspect or obtain PHI, is referred to as the “HIPAA Right of Access.” The HIPAA Right of Access includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.Â
Individuals have a HIPAA right of access to this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of:
- The date the information was created;
- Whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or
- Where the PHI originated (e.g. whether with the covered entity, another provider, etc.)
How Did Ciitizen Obtain the Results?
Ciitizen, acting with authorization from patients, made requests of 169 medical providers for copies of patient medical records.Â
Ciitizen determined that 51% of the providers evaluated were not compliant with the HIPAA Right of Access rule, and/or needed significant intervention to become compliant. Ciitizen made the following specific findings:
- Sending records in the form and format requested by the patient still continues to be the biggest reason for noncompliance with HIPAA
- Even for providers who sent records, too much patient follow-up was needed to obtain those records
- When Ciitizen decreased the volume of follow-up phone calls to medical records offices, it took the offices longer – often over the 30-day HIPAA limit – to send the records.
These findings come on the heels of an early September 2019 Office for Civil Rights (OCR) announcement that it had reached its first settlement over a covered entity’s violation of the Right of Access rule under OCR’s 2019 right to access rule initiative. The settlement, with Bayfront Health St. Petersburg, a Florida hospital, was for $85,000.
