On March 29, 2024, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced it had reached a settlement with Phoenix Healthcare for $35,000. The multi-location nursing care facility agreed to the settlement to resolve a potential HIPAA right of access violation. This marks the 47th enforcement action settled under OCR’s Right of Access Initiative.
The Complaint and the Settlement
A complaint was filed with OCR against Phoneix Healthcare in April 2019 after the provider failed to meet the daughter of a patient’s (the patient’s representative) request for medical records. After the OCR attempted to provide Phoneix Healthcare with technical assistance to meet the record request, and attempts for OCR to get the records, the healthcare provider met the request. However, they failed to do so for 323 days.
In relation to the settlement, OCR Director Melanie Fontes Rainer stated, “Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative. Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions. It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.”
What is the HIPAA Right of Access?
The HIPAA right of access standard requires healthcare organizations to meet a patient’s request to receive a copy of their medical records. These records must be provided to the patient, or their personal representative, within thirty days of the request (or within 60 days if an extension is applicable).
Records must also be provided in the format the patient requests them in when it is reasonably appropriate to do so, and places limitations on the cost that can be charged for providing the records.
Under this standard, healthcare organizations must provide patients with access to all protected health information contained in their “designated record set.” There are two categories of information, however, that are expressly excluded from the right of access:
- Psychotherapy notes of a mental healthcare provider documenting or analyzing the contents of a counseling session. These notes are maintained separate from the rest of the patient’s medical record.
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
