On September 15, 2020, the Office for Civil Rights (OCR) announced five settlements with providers who were accused of failing to comply with HIPAA’s right of access requirements. On October 7th, the OCR announced another patient rights settlement, which is the eighth HIPAA Right of Access Initiatives settlement to date. And on October 9th, the ninth settlement was announced (two Right of Access settlements were announced early in 2019 and 2020).
The Privacy Rule requires covered entities to respond to patients’ requests to inspect or obtain a copy of their medical records within 30 days. In some circumstances, the provider may extend this timeframe by 30 days – but it must let the patient know of the delay within the original 30-day period.
The new settlements involved:
- NY Spine Medicine paid $100,000 after a patient complained that she did not receive her medical records as requested. The patient asserted that she received some records, but not the diagnostic films she requested. After the OCR intervened, the patient received all of her records - more than a year after her initial request.
- Joseph’s Hospital and Medical Center entered a $160,000 settlement after a mother complained that she requested her son’s medical records multiple times – and received some but not all of the records. The mother received the records more than 22 months after her initial request.
- Housing Works Inc. is a non-profit that provides health care, homeless services, and other services to individuals affected by HIV/AIDS. Housing Works entered a $38,000 settlement after it was accused of failing to provide a patient with medical records – even after the patient complained and the OCR provided assistance.
- All Inclusive Medical Services, Inc., a multi-specialty family clinic, entered a $15,000 settlement after it was accused of denying a patient’s request to inspect and receive a copy of her records.
- Beth Israel Lahey Health Behavioral Services (BILHBS) entered a $70,000 settlement. A personal representative complained that BILHBS failed to respond to a personal representative’s request to access her father’s medical records.
- King MD, a small psychiatric services provider, entered a $3,500 settlement. The OCR received a complaint that King MD failed to respond to a records access request. The OCR intervened and provided King MD with technical assistance – and, months later, the patient again complained that the records still were not provided.
- Wise Psychiatry, PC, entered a $10,000 settlement after a personal representative complained that Wise failed to provide access to her son’s medical records. The OCR intervened and provided technical assistance. Months later, the OCR received a second complaint that the access still had not been provided.
The OCR is serious about patient access rights. And, patients know about this right and are increasingly filing complaints with the OCR when this access is not granted.
What you can do:
- Train everyone in your building (yes, everyone!) on who to notify if a patient asks about accessing, seeing, or copying their medical records. Once the patient asks, the timeline begins. Make sure everyone working for your organization understands how to recognize these requests, and who to notify (for example your Privacy Officer).
- Periodically audit patient requests for access. Were they documented appropriately? Did your organization respond within 30 days?