The Office of Civil Rights at the U.S. Department of Health and Human Services recently announced that it had accepted a settlement with a healthcare provider in Florida for a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s Right to Access requirements. According to a December 15, 2022 Press Release, this investigation is the 42nd case to be resolved under OCR’s HIPAA Right of Access Initiative, which was designed to improve compliance by covered entities. Under the settlement, the covered entity paid $20,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation.
In this case, a complaint was filed by the daughter, acting as a personal representative for her deceased father. The covered healthcare provider received the request on August 29, 2019 but did not furnish the records until January, 2020. This is the 17th Right to Access settlement in 2022, totaling nearly $900,000 in settlements and over a million dollars in penalties. OCR began the Right to Access initiative in 2019 in support of individuals’ right to timely access to their health records under the Privacy Rule.
Under the Right to Access provisions of HIPAA, patients or their personal representatives must be provided with access to their “designated record set” within a reasonable period of time. A “designated record set is:
(1) A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
(2) For purposes of this paragraph, the term “record” means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
For the purposes of “Right to Access”, OCR has determined that 30 days would be the outside limit of what is considered reasonable under the law. Where the covered entity cannot access the designated record set within 30 days due to it being stored at an archived location that is not readily accessible, the covered entity may extend the reasonable period an additional 30 days. However, the organization must inform the individual in writing of the delay and may not have a second extension.
A covered entity may require individuals to request access in writing, provided the covered entity informs the individual that they must do so. Covered entities may also offer individuals the option of using electronic means (e.g., e-mail, secure web portal) to make requests for access. Lastly, a covered entity may require individuals to use the entity's own supplied form, provided use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to his PHI.
What OCR considers as unreasonable measures to request access?
Under the rule, a covered entity may not impose unreasonable measures on an individual requesting access that might serve as barriers to, or unreasonably delay, the individual from obtaining access. Examples of this include requiring an individual:
Who wants a copy of her medical record mailed to her home address to physically come to the covered entity's office to request access and provide proof of identity in person.
To use a web portal for requesting access, as not all individuals will have ready access to the portal.
To mail an access request, as this would unreasonably delay the covered entity's receipt of the request and thus, the individual's access.
Format and Form for Access to Designated Record Set
The Privacy Rule request that covered entities provide the individual with access to their designated record set in the form or format requested provided it is easily able to do so. The individual can request their designated record set in paper or electronic format. Covered entities are not required to purchase software to provide the designated record set in the requested format. If the individual refuses to accept the information in the format that is readily accessible to the covered entity, the covered entity may produce it in a readable hard copy.
Reasonable Fees for furnishing the designated record set
The covered entity may only impose a reasonable, cost-based fee. This fee must be communicated to the individual in advance. This fee may only cover the covered entity’s cost of labor for copying the records, supplies for creating any paper or electronic media, and postage. However, the fee may not include costs associated with:
Review of the request for access
Verification of the information;
Documentation of the request;
Searching for and retrieving the PHI;
Maintaining systems; Recouping capital for data access,
Storage of the information;
Other costs not listed above even if such costs are authorized by State law.
A covered entity may not withhold furnishing the designated record set from the individual because the individual has an outstanding balance for healthcare services rendered.
Steps EMS agencies can take to mitigate risk associated with Right to Access
EMS agencies should have a clearly articulated process in place to review and respond to designated records access requests. This process should include a detailed accounting process for when the request was received, a review of the record access requested, the desired format/media requested, a clear retrieval and preparation of the records, and a timeline to ensure a compliant response. An important element to this process is the education and training of all staff. This includes ensuring that the frontline personnel are furnishing the Notice of Privacy Practices (NPP) to patients which must detail how such access is requested and attained. Also, ensuring that field personnel are familiar with who to direct the patient or their representative to, if such a request is made during the patient interaction.