On December 15, 2023, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $160,000 right of access settlement. Since OCR announced its focus on right of access enforcement in 2019, it has settled with 46 healthcare organizations for potential violations of the standard.
In a press release announcing the most recent right of access settlement, OCR Director Melanie Fontes Rainer stated, “Health care providers must make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority. Access to medical records is a fundamental right under HIPAA, and one for which OCR receives thousands of complaints each year. This is the law—providers must proactively respond to record requests and ensure timely access. Access to medical records empowers patients and their families to make decisions about their health care and improve their health overall. It is critical that providers follow the law.”
Optum Medical Care Settles with OCR Over Multiple Complaints
Optum Medical Care of New Jersey is a multi-specialty physician group treating patients in both New Jersey and Connecticut. In 2021, OCR received six separate complaints that the group failed to provide copies of medical records after adult patients and parents of minor patients requested them.
After receiving the complaints, OCR launched an investigation into Optum. The investigation uncovered that the healthcare provider failed to provide timely access to requested medical records, providing them between 84 and 231 days.
To close the investigation, Optum has agreed to implement a corrective action plan to ensure timely access to their records for patients, submit to one year of OCR monitoring, and pay $160,000. The corrective action plan requires Optum to train its workforce, report records requests to OCR, and review and revise its right of access policies and procedures.
What is the HIPAA Right of Access?
The HIPAA right of access standard requires healthcare organizations to meet a patient’s request to receive a copy of their medical records. These records must be provided to the patient, or their personal representative, within thirty days of the request (or within 60 days if an extension is applicable).
Records must also be provided in the format the patient requests them in when it is reasonably appropriate to do so, and places limitations on the cost that can be charged for providing the records.
Under this standard, healthcare organizations must provide patients with access to all protected health information contained in their “designated record set.” There are two categories of information, however, that are expressly excluded from the right of access:
- Psychotherapy notes of a mental healthcare provider documenting or analyzing the contents of a counseling session. These notes are maintained separate from the rest of the patient’s medical record.
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.