The HHS wasted no time in 2023, marking the new year with a fine announcement. On January 2, 2023, the HHS issued a press release announcing a $16,500 fine under the HIPAA right of access initiative.
Life Hope Labs Slapped with HIPAA Fine
In August 2021, the HHS received a complaint that Life Hope Labs failed to meet a medical records request. A deceased patient’s personal representative first requested access to her father’s records on July 7, 2021. Life Hope Labs failed to meet HIPAA right of access requirements by not meeting the request until February 16, 2022.
Upon conclusion of an OCR investigation, it was determined that Life Hope Labs failed to provide timely access to the requested medical records, a potential violation of the HIPAA right of access provision. As a result, Life Hope Labs agreed to a $16,500 settlement and is subject to a corrective action plan, along with two years of OCR monitoring.
“Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories,” said OCR Director Melanie Fontes Rainer. “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.”
What is the HIPAA Right of Access?
In 2019, the Department of Health and Human Services (HHS) announced that it would prioritize HIPAA right of access enforcement. Since then, 43 cases have been resolved under the initiative.
The HIPAA right of access standard requires healthcare organizations to meet a patient’s request to receive a copy of their medical records. These records must be provided to the patient, or their personal representative, within thirty days of the request (or within 60 days if an extension is applicable). Records must also be provided in the format the patient requests them in when it is reasonably appropriate to do so, and places limitations on the cost that can be charged for providing the records.
Under this standard, healthcare organizations must provide patients with access to all protected health information contained in their “designated record set.”
There are two categories of information, however, that are expressly excluded from the right of access:
- Psychotherapy notes of a mental healthcare provider documenting or analyzing the contents of a counseling session. These notes are maintained separately from the rest of the patient’s medical record.
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
