Earlier this year, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced an initiative. Under the initiative, OCR stated that a main area of HIPAA enforcement in 2019 would be HIPAA right of access violations, including covered entities’ untimely responses to access requests and overcharging for copies of medical records. In early September of 2019, OCR reached its first settlement with a covered entity under that initiative.
The HIPAA Privacy Rule generally provides individuals with a right, upon request, to see and receive copies of the information in their medical and other health records that is maintained by covered entities (i.e., healthcare providers and health plans). This right is known as the HIPAA right of access.
Under the right of access, HIPAA covered entities must honor these requests by providing patients with access to the requested PHI or copies of health data. The covered entity, under the right of access, must generally provide the requested information within 30 days of its receipt of the request.
Specifically, covered entities must, upon request, provide protected health information (PHI) contained in one or more “designated record sets” maintained by or for the covered entity. Records to which individuals may receive access under the HIPAA right of access include:
- Medical records and billing records about individuals maintained by or for a covered healthcare provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
Examples of specific records to which individuals may receive access, under the HIPAA right of access rule, include:
- Treatment records
- Insurance information
- Clinical laboratory test results
- Medical images (such as X-rays)
- Wellness and disease management program files
- Clinical case notes
Enforcement of the HIPAA Right of Access
In early September of 2019, the Office for Civil Rights of the Department of Health and Human Services announced that it reached its first settlement under the 2019 right of access rule initiative.
OCR has settled with Bayfront Health St. Petersburg, a Florida hospital. Bayfront has agreed to pay OCR $85,000 to settle a case that had its origins in a patient’s complaint. In August of 2018, the patient complained to OCR that she had requested her fetal heart monitor records from Bayfront in October of 2017. She noted in her complaint that at the time of the complaint, 9 months had passed since the request, and that Bayfront had failed to respond to the request or provide the records.
OCR, upon investigation, confirmed that requests for the records were made in October of 2017, as well as in January of 2018 and February of 2018. In March of 2018, Bayfront, after having initially informed the patient it could not find the records, finally provided the records to the Plaintiff’s attorney. The records that were provided, however, constituted an incomplete set. Finally, in February of 2019, the records were provided to the patient – only after OCR intervened by telling Bayfront it had to provide the records.
OCR concluded its investigation by determining that the failure to provide access to the patient’s designated record set was a clear violation of the HIPAA Privacy Rule, warranting a sizable financial penalty. OCR and Bayfront then entered into the $85,000 settlement agreement.
The settlement agreement also requires that Bayfront implement a corrective action plan. Under the agreement, Bayfront will be monitored by OCR for compliance, for a twelve month period.