Most health care providers are aware that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its accompanying negotiations provide for the privacy and security of patients’ health care records. However, another important tenet of HIPAA is the ready availability of those records for patients and for providers coordinating those patients’ health care. Since the enactment of HIPAA, patients have always had a right to access their protected health information. In fact, that right must be stated in the notice of privacy practices patients receive at hospitals, in doctors’ offices, and from other health care providers.1
The Office for Civil Rights (“OCR”) is the government agency tasked with enforcing HIPAA violations. Earlier this year, the OCR announced its HIPAA Right of Access Initiative (“Initiative”), which aims to vigorously enforce the rights of patients to timely receive copies of their protected health information without being overcharged for the same. The OCR has begun its enforcement actions against providers under the Initiative, and this month Bayfront Health (“Bayfront”) in St. Petersburg, Florida was the first provider to pay fines to the OCR. Bayfront paid $85,000.00 to the OCR for failing to provide health information to a mother about her unborn child until more than nine (9) months after the request. Bayfront also entered into a corrective action plan wherein it must develop written policies and procedures to comply with HIPAA and provide work force training. See HHS.gov press release dated September 9, 2019. In light of this recent Initiative, providers need to review and update their HIPAA compliance, especially in the area of access to medical records. A summary of the specific requirements is below.
As discussed above, patients have a right of access to inspect and copy their protected information under HIPAA. 45 C.F.R. § 164.524 (a). Exceptions exist for “psychotherapy notes” and information compiled in anticipation of or for use in a civil, criminal, or administrative action or proceeding. Id. With limited exceptions, a health care provider must act on a request for access to medical records no later than thirty (30) days after receipt of the request. Id. If the provider denies the request, it must provide written reasons for denial in compliance with the regulations. Id. If the patient requests copies of the protected health information, the covered entity may impose a reasonable cost-based fee that may include the cost of:
i. Labor for copying the information
ii. Supplies for creating the paper copy or electronic media
iii. Postage if the patient request that a copy be mailed
iv. The preparation of any explanation or summary of the health information if requested by the patient. 45 C.F.R § 164.524 (c) (4)
In light of the OCR’s Initiative, health care providers should review their written HIPAA compliance policies and procedures and actions with their compliance officer and/or health law counsel to make sure they are in full compliance with HIPAA. Failure to do so could prove very expensive to correct.
1 This article focuses on the obligations of health care providers under HIPAA. However, obligated covered entities under HIPAA also include health plans and health care clearing houses.