Yesterday, I published a Q&A for covered entities on the HIPAA “Right of Access” provision. In this post, I will discuss the Right of Access Initiative, which was announced in 2019 by the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS). The goal of the initiative is to increase compliance with the HIPAA Right of Access provision through enforcement. Since 2019, OCR has settled more than 40 Right of Access cases and has imposed fines as high as $240,000. Read on for more information about OCR’s Right of Access Initiative and what it means for covered entities.
A Quick Review: What is the HIPAA Right of Access Provision?
The Right of Access provision is found at 45 C.F.R. 164.524 and falls under the HIPAA Privacy Rule. The law requires covered entities to provide individuals with access to their health information upon request, in a timely manner, and at a reasonable cost. “Timely” typically means that covered entities must act on an individual’s request for access within 30 calendar days of receiving the request. The law allows covered entities to charge fees for providing copies of the requested records as long as the fees are reasonable and cost-based. For more information about the HIPAA Right of Access provision, please see my recent post.
OCR’s Right of Access Initiative
OCR settled its first case under the Right of Access Initiative in September 2019. In a press release highlighting the first case, OCR described the Right of Access Initiative as part of the agency’s promise to “vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.” As of January 3, 2023, OCR has settled 43 cases under the Right of Access Initiative. The cases have involved covered entities of all sizes, including a large 17-hospital non-profit health system as well as small private dental and psychiatry practices.
Does the Right of Access Initiative indicate a change in the law?
No. Covered entities have always been required to comply with the HIPAA Right of Access provision; however, OCR’s Right of Access Initiative demonstrates the agency’s heightened focus on ensuring that patients can access their health information in a timely manner, for a reasonable cost.
How are Right of Access violations discovered?
OCR usually learns about potential HIPAA violations during compliance reviews and through complaints made by patients directly to the agency. To learn more about how OCR handles complaints and the investigation process, see this explanation published by HHS.
What do we know about the cases that have been resolved so far?
Review of the resolution agreements associated with these 43 cases reveals a few patterns. Each of the cases was initiated by one or more complaints filed directly with OCR. Many of the resolution agreements required that the covered entity develop and implement a corrective action plan. Thus far, every covered entity that has settled a case with OCR under the Right of Access Initiative has been assessed a fine that is paid to OCR. The fines ranged from $3,500 to $240,000 and the average fine was $56,794. As of January 2023, the total fines assessed by OCR under the Right of Access Initiative exceeds $2.4 million.
Untimely action is the most common issue
A small number of resolution agreements reference covered entities charging unreasonable fees for copies of records or failing to provide complete records. However, the issue that was cited in almost every case thus far was the covered entity’s failure to respond to a request in a timely manner. Under 45 C.F.R. 164.524(b)(2), a covered entity has 30 calendar days from when it receives a request for records to act on the request. The law provides for a 30-day extension, creating a maximum response period of 60 calendar days. A covered entity can only get one extension per request for records.
In some of the cases settled by OCR, the covered entity’s failure to take timely action was plainly egregious (for example, in one case it took a covered entity 564 days, or more than 18 months, to take action on a request for an itemized billing statement). In other instances, covered entities that missed their 30-day deadlines by four months and provided access to the requested records within days of OCR initiating an investigation were also subject to enforcement action, including fines.
Key Takeaways for Covered Entities
Although covered entities have always been required to comply with the HIPAA Right of Access provision, the Right of Access Initiative demonstrates that OCR has increased its scrutiny of and enforcement against covered entities that are falling short of following the law. Covered entities can reduce their risk of getting into hot water with OCR for a Right of Access violation by reviewing their policies, procedures, and practices to ensure they are meeting the law’s requirements. Readers can learn more about key terms and issues related to Right of Access compliance by reading my recent blog post and can find additional resources on the HHS “HIPAA for Professionals” website.