The HIPAA Right of Access Initiative: Penalties for Not Honoring Patient Requests
HIPAA provides a few reasons a provider can deny a patient part or all of a medical record. Protecting a patient or another person from the reasonable likelihood of harm is one example of a situation that could result in a denial of records.
Outside of these limited reasons, a healthcare provider must provide a patient’s record when they request it. It does not matter if there is an outstanding balance on the patient’s account. The records must be provided.
Although the right of access is part of HIPAA law, many providers still fail to meet its requirements. This is why, in 2019, Office for Civil Rights (OCR) launched its HIPAA right of access initiative to highlight the importance of meeting patient requests.
Since announcing its initiative, OCR has reached at least 41 settlements resulting in fines for those who have violated the standard. In at least one instance, a provider’s refusal to provide records because money was still owed on an account resulted in a $100,000 fine.
Earlier this year, after settling eleven enforcement actions under the HIPAA right of access initiative, OCR Director Lisa J. Pino stated, “It should not take a federal investigation before a HIPAA covered entity provides patients, or their personal representatives, with access to their medical records. Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”
OCR obviously takes this seriously. Organizations should have clear HIPAA policies and procedures to address handling medical record requests, which should reflect the standards established by HIPAA.