The OCR’s Dedication to the Right of Access Initiative
Anyone that keeps an eye on the HIPAA violation settlements would be able to see the clear trend over the past year - the Right of Access Initiative. In just over a year since they announced this mission, the Office of Civil Rights within the Department of Health and Human Services has already settled over ten HIPAA violations under this topic alone. The Right of Access Initiative was born out of an existing goal of the Privacy Rule under HIPAA - that people should be afforded quick and easy access to any of their health information that is held in the healthcare system.
We’ll walk through everything you need to know about this promise within HIPAA and how the OCR has been following through on that in 2019 and 2020.
HIPAA Privacy Rule - Right of Access
One significant issue that has been increasing for patients over the past couple years is their inability to have reliable and quick access to their medical records when requested from providers. Individuals have struggled with this whether that is in the form of receiving incomplete records, being charged unnecessarily for their own records or having to wait an extended period of time (even years!) for that information.
The text of the HIPAA Privacy Rule provides each patient with the legal right to access and receive copies of their medical records and other health information when requested. We will cover a few of the most important details involved in an individual's right to their health information, but the HHS has covered almost every detail you could need here. The two main clarifications that the HHS has made to providers is that these records must be provided quickly and affordably but what exactly does that mean in this context?
Providing Timely Access Rules
All requests should be fulfilled in a reasonable and timely manner by the healthcare providers and health plans. According to the HHS, access to the requested information should be provided within 30 days of receiving the request for access, unless they have a reason why it cannot be provided so quickly.
If there is a need to extend this window, due to the information being stored in a way that is not readily accessible, they must provide a written explanation to the patient about the reason for the delay. Even if there is a valid reason for the request, it must be fulfilled within 60 days of the initial request with only one extension being allowed per request.
Appropriate Related Fees
The Privacy Rule does allow covered entities to charge a small, reasonable fee for providing a copy of PHI but only if that fee is to cover their cost in creating that copied record. The fee is only allowed to include the cost of labor involved in copying the record (in paper or electronic form), supplies needed to create the paper or electronic copy, postage required if sent via mail and finally the cost of the preparation of a summary of the PHI if the individual agrees.
This fee is not allowed to include any other associated costs, even if other cost additives appear to be authorized by a state law.
What is the HIPAA Right of Access Initiative?
In early 2019, the OCR made a statement that they were going to create an initiative to enforce the patient’s right of access to their own health information in a timely, reasonable manner. They did not create this concept as it is already outlined as a goal of HIPAA within the Privacy Rule.
Although this aspect of HIPAA had been enforced at times in the past, up until this initiative was brought forward, it had never been enforced with any regularity. The OCR has remained dedicated to ensuring that every patient is afforded the access to their information that HIPAA has long stated that they deserved. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino.
Settlements Reached Under the Initiative
How is a Settlement Reached?
There are a couple of things to keep in mind with the settlements that are reached between the OCR and HIPAA covered entities or business associates. First, an organization reaching a settlement with the OCR is not them pleading guilty but it is them agreeing to comply with the corrective plan and 2 years of mandated monitoring by the OCR.
Second, the dollar amount of the fine is determined through various factors. These elements include the extent of the potential violation and the harm that could come from it, the nature of the violation, the organization’s history of HIPAA compliance or the lack thereof, the size and financial status of the entity. The settlements within the right of access initiative range in settlement amount from $3,500 to $160,000. The more recent settlements have reflected higher fine amounts, which may be a trend that we see continue.
A Complete List of the Right of Access Settlements to Date
In light of the Right of Access initiative and the OCR’s dedication to enforce this aspect of the Privacy Rule, healthcare providers should pay extra attention to this aspect of their operations. Providers are often so focused on preventing unauthorized access or sharing of PHI that they may forget the importance of providing quick and affordable health records to patients. Hopefully this blog will be a reminder to each organization to go back over your procedures for fulfilling a patient’s right of access to their own health information.
With the OCR stepping up their enforcement efforts, now is the time for all HIPAA covered entities and business associates to also step up their compliance efforts. Luckily, that’s exactly why Accountable exists - to make HIPAA compliance as simple as possible therefore helping you avoid these costly fines.