Enforcement Trends: Six Ways Your Lab Can Avoid HIPAA Right of Access Issues
An analysis of recent OCR enforcement actions and settlements identifies the common pitfalls labs should watch out for.
More than four years have passed since the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) changed the direction of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) enforcement by launching the Right of Access Initiative. This initiative targets providers that fail to provide patients access to their protected health information (PHI). While the pace of new cases has slowed, the initiative remains one of the most active areas of federal HIPAA enforcement. By analyzing these enforcement actions and settlements, lab leaders can identify the common pitfalls that cause compliance issues for providers and how their labs can avoid making the same mistakes.
HIPAA Right of Access Rules
The HIPAA Privacy Rule (45 C.F.R. § 164.524(a)(1)) requires a covered entity (provider) to provide patients or their personal representatives access to inspect and obtain a copy of the PHI held in a designated record set, subject to exceptions.1
What Is a Designated Record Set?
The Privacy Rule (45 CFR 164.501) defines a “designated record set” as a group of records maintained by or for a provider that comprises the following:2
· medical and billing records the provider maintains about individuals;
· enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
· other records used, in whole or in part, by or for the provider to make decisions about individuals.
To exercise these rights, the individual must specifically request access to their PHI, either orally or in writing. Upon receiving the request, the provider has 30 calendar days to take action, either by:
- granting the request,
- rejecting the request in writing on a ground that the Privacy Rule lists as justifying rejection (such as where a licensed healthcare professional determines that granting access would be reasonably likely to endanger the requestor or another person), or
- requesting a 30-day extension.
Individuals who believe their HIPAA access rights are being denied can file a complaint with OCR, which can then intervene. If the OCR determines that the provider committed a violation, it can impose penalties, including civil monetary penalties (CMPs) of $100 to $50,000 per violation based on:3
- The nature and extent of the violation
- The nature and extent of the harm resulting from the violation
- The provider’s history of compliance with the HIPAA Rules, or lack thereof
- The provider’s financial condition, including its size and the impact of the COVID-19 public health emergency
- “Other matters as justice may require.”4
The HIPAA Right of Access Initiative
Right of access complaints are common. Thus, in its most recent Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, OCR lists right of access as the second most common issue of complaints resolved in 2021, behind only impermissible uses and disclosures. Historically, however, OCR enforcement of the HIPAA Privacy Rule has focused on unlawful collection, use, and disclosure, and provider efforts to keep PHI private and secure.5
That changed in April 2019, when the agency announced the launch of its Right of Access Initiative. Less than six months later, the OCR handed down its first-ever fine to a provider for failing to comply with its right of access obligations. By the end of the Trump administration in January 2021, the agency had dished out no fewer than 14 such penalties, the final one at what was then a record-high of $200,000.6
Unlike many other Trump healthcare enforcement policies, the Biden administration has continued the Right of Access Initiative. Total settlements under the initiative now stand at 44, seven of which were for a six-figure amount. As part of the settlement, each accused provider has also had to implement a corrective action plan (CAP) allowing the OCR to conduct close monitoring of its HIPAA compliance operations for one to two years.
OCR Right of Access Initiative Settlements Scorecard
|Memorial Hermann Health System||$240,000||Texas nonprofit health system’s billing department failed to provide patient’s complete medical and billing records despite five different requests|
|Banner Health ACE||$200,000||OCR cites two occasions in which Phoenix-based not-for-profit health system took about six months to provide patients their requested PHI|
|Rainrock Treatment Center, LLC dba Monte Nido Rainrock||$160,000||Florida eating treatment disorder clinic took more than eight months to fulfill the patient’s request for a copy of her medical records|
|St. Joseph’s Hospital and Medical Center||$160,000||Phoenix hospital refused to provide PHI to the patient’s mother even though she was his legal representative|
|ACPM Podiatry||$100,000||In response to the initial complaint and OCR intervention, Illinois podiatry practice agreed to provide patient-requested medical records but reneged on its agreement despite the patient’s multiple requests|
|Dr. Robert Glaser||$100,000||New York cardiovascular disease and internal medicine doctor didn’t cooperate with OCR’s investigation or respond to its data requests after not providing patient a copy of their medical record|
|NY Spine Medicine||$100,000||Neurology practice refused patient’s multiple requests for copies of specific diagnostic films|
|Bayfront Hospital||$85,000||Florida hospital didn’t provide expectant mother timely access to the PHI of her unborn child|
|Korunda Medical||$85,000||After first refusing to provide it at all, the Florida primary care and interventional pain management services provider sent the patient’s PHI to a third party in the wrong format and charged him excessive fees|
|Great Expressions Dental Center of Georgia, P.C.||$80,000||Georgia dental practice refused to give the patient access to her record because she wouldn’t pay the $170 copying fee|
|Children’s Hospital & Medical Center||$80,000||Nebraska hospital failed to provide the mother of a minor patient timely access to her daughter’s medical records, despite repeated requests|
|Renown Health, P.C.||$75,000||Nevada private, not-for-profit health system didn’t timely honor the patient’s request to transfer her electronic health record (EHR) and billing records to a third party|
|Sharp Rees-Stealy Medical Centers||$70,000||California hospital and healthcare network didn’t timely honor the request to transfer the patient’s EHR to a third party|
|Beth Israel Lahey Health Behavioral Services||$70,000||Massachusetts provider ignored request of personal representative seeking access to her father’s PHI|
|Southwest Surgical Associates||$65,000||Group practice in the Greater Houston, Texas, area failed to provide the patient timely access to their requested PHI|
|Arbour Hospital||$65,000||Massachusetts mental health services provider kept the patient waiting five months before granting access to his PHI|
|University of Cincinnati Medical Center, LLC||$65,000||Ohio academic medical center failed to respond to the patient’s request to send an electronic copy of her medical records maintained in its EHR to her lawyers|
|Hillcrest Nursing and Rehabilitation||$55,000||Massachusetts rehab agency failed to provide an individual’s personal representative with timely access to her son’s medical records|
|MelroseWakefield Healthcare||$55,000||Massachusetts provider didn’t furnish personal representative timely access to medical records under a durable power of attorney based on the mistaken belief that the power of attorney didn’t permit the provision of those records|
|Erie County Medical Center Corporation||$50,000||Buffalo, New York hospital didn’t provide an individual with a complete copy of his medical records in a timely matter|
|Housing Works Inc.||$38,000||The New York City non-profit services provider refused the patient’s request for a copy of his medical records|
|Peter Wrobel, M.D., P.C., dba Elite Primary Care||$36,000||Georgia primary care practice failed to provide the patient access to his medical records|
|Advanced Spine & Pain Management||$32,150||Ohio pain services provider took nearly four months to provide patient-requested medical records|
|Family Dental Care, P.C.||$30,000||Chicago dental practice took five months to provide the former patient complete access to her medical records|
|Fallbrook Family Health Center||$30,000||Nebraska provider failed to provide timely access to medical records|
|Dr. Donald Brockley, D.D.M.||$30,000||Pennsylvania solo practitioner dentist failed to provide a patient a copy of their medical record|
|Denver Retina Center||$30,000||Colorado ophthalmological services provider took eight months to provide the requested medical records and lacked compliant access policies|
|Village Plastic Surgery||$30,000||New Jersey practice failed to provide the patient with timely access to his medical records|
|Jacob and Associates||$28,000||Psychiatric practice with two offices in California failed to provide a patient requested access to her medical records, ignoring her annual requests for five years in a row|
|Paradise Family Dental||$25,000||Las Vegas dental practice refused to provide a mother with a copy of her and her minor child’s dental records|
|Riverside Psychiatric Medical Group||$25,000||California medical group didn’t provide the patient a copy of her medical records despite repeated requests and OCR intervention|
|Associated Retina Specialists||$22,500||The New York provider didn’t give the patient a copy of her medical records until three days after OCR initiated its investigation, and nearly five months after the patient’s first written request|
|Health Specialists of Central Florida Inc.||$20,000||Florida primary care practice didn’t provide personal representative/daughter timely access to her father’s medical records despite multiple requests|
|Coastal Ear, Nose, and Throat||$20,000||Ormond Beach, Florida practice didn’t provide a patient timely access to medical records despite multiple requests|
|Life Hope Labs, LLC||$16,500||Georgia lab took seven months to provide medical records to the patient’s personal representative/daughter|
|David Mente, MA, LPC||$15,000||Pittsburgh licensed psychotherapy provider didn’t provide medical records of minor patients to their personal representative/father|
|Dr. Rajendra Bhayani||$15,000||The New York physician didn’t provide the patient with her medical records even after OCR intervened and closed the complaint|
|All Inclusive Medical Services, Inc.||$15,000||California multi-specialty family medicine clinic refused the patient’s requests to inspect and receive a copy of her records|
|Wake Health Medical Group||$10,000||North Carolina primary care provider never furnished requested records despite charging patient a $25 access fee|
|Wise Psychiatry, PC||$10,000||Colorado psychiatric firm refused to provide personal representative access to his minor son’s medical record|
|Lawrence Bell, Jr., D.D.S.||$5,000||Baltimore, Maryland, dental practice failed to provide timely access to a patient’s medical record|
|Diabetes, Endocrinology & Lipidology Center, Inc.||$5,000||West Virginia diabetes clinic made the mother of a minor patient wait nearly two years for access to his medical records|
|King MD||$3,500||Virginia psychiatric practice didn’t provide patient access to her medical records even after OCR intervened, provided technical assistance, and closed the complaint|
Compliance Ramifications: HIPAA Right of Access Pitfalls to Avoid
The first takeaway for labs is that though the HIPAA duty to comply with patient access requirements is as old as the Privacy Rule itself, the OCR Right of Access Initiative has made it more urgent. A close look at the cases reveals what providers are doing wrong. Avoiding these six common right of access pitfalls is the key to ensuring that your lab stays compliant:
1. Keeping Patients Waiting Too Long
Pitfall: The most common mistake providers make in responding to access requests is taking too long to respond instead of following the 30-day rule. The longest a patient should have to wait for a response to an access request is 60 days—the original 30 days plus a 30-day extension. But in many cases, patients are waiting months or even over a year for access.
|Provider||How Long Patient Waited for Access||Settlement Amount|
|St. Joseph’s Hospital & Medical Center||22 months||$160,000|
|NY Spine Medicine||16 months||$100,000|
|Beth Israel Lahey Health Behavioral Sciences||Eight months||$70,000|
Source: U.S. Department of Health and Human Services
Solution: It’s essential to have a process in place to review and respond to access requests within the required deadline. Staffers handling access requests should also receive training on not only the timelines but also the proper basis for denying access requests under the Privacy Rule.
2. Not Providing Access to the Patient’s Personal Representative
Pitfall: Under the HIPAA Privacy Rule (45 CFR 164.502(g)), providers must provide access to either the patient to whom the PHI relates or the patient’s personal representative, i.e., a person with authority to make healthcare decisions for the patient under state law, including a parent, guardian, executor, or person holding a power of attorney.7
Example: Life Hope Labs was hit with a $16,500 penalty for not providing a personal representative a copy of her deceased father’s medical records, which she requested in her capacity as the representative of his estate.8
Solution: While it’s essential to verify that people asking for the PHI of another person have the legal right to access that information, labs also need to keep in mind that personal representatives do have access rights. Labs must also ensure there’s a process for verifying the legal authority of third persons in time to meet the 30-day deadline. That can be tricky given the complexity of state laws governing custody and other personal representative issues. Instruct staffers to seek a 30-day extension if they need more time to sort out the requestor’s legal status as a personal representative.
3. Denying Patient’s Request to Send PHI to a Third Party
Pitfall: HIPAA “third-party directive” rules give patients the right to request that a provider send their medical records directly to another person or entity, like a law firm, social service agency, or other medical office. OCR has taken enforcement action against at least four providers for failure to honor patients’ requests to a third party.9
Example: In one of the earliest enforcement actions under the Right of Access Initiative, Korunda Medical, a Florida-based company that provides comprehensive primary care and interventional pain management, had to pay $85,000 for repeatedly ignoring a patient’s request to send her PHI electronically to a third party.10
Solution: Ensure that your HIPAA access protocols provide for transmitting patient PHI to third parties when requested. You should also require patients to put such requests in writing to reduce the risk of mistakes and misunderstandings and ensure written documentation of the request. Also keep in mind that if you require access requests to be in writing, you must state this in your HIPAA Notice of Privacy Practices (NPP).
Model NPP Language
You have the right to request that your protected health information be transmitted to a third party that is authorized to receive it. Any such requests must be submitted in writing to [list your lab’s contact information] and list the exact address of the recipient, as well as the format in which you want the information transmitted to the extent you want us to transmit the information in an alternative format.
4. Transmitting the Requested PHI in the Wrong Format
Pitfall: Whether sent to the requestor or a third party, PHI must be transmitted in the format requested, as long as the information is readily producible in that format. Not transmitting the information in the requested format may constitute an access rights violation, as several providers targeted by the Right of Access Initiative have learned the hard way.
Example: The University of Cincinnati Medical Center, LLC had to pay $65,000 for failing to respond to a patient’s request to send an electronic copy of her medical records that the center maintained in its electronic health record to her lawyers.11
Solution: Ensure that your internal HIPAA access response protocols specify that requested records must be transmitted in the form and format requested, as long as the PHI is readily producible in that form and format. If that’s not the case, you must produce the information in a readable hard copy form or other format that you and the requestor agree on. While you don’t have to purchase new software or equipment to accommodate every possible kind of access request, you do need the capacity to provide some electronic form of records that are maintained electronically, notes a legal analysis from the healthcare law firm Jackson LLP.12
5. Charging Excessive Fees
Pitfall: The HIPAA Privacy Rule allows providers to charge requestors reasonable fees based on their costs to produce the requested records. Processing fees were a key issue in at least two of the Right of Access Initiative settlements.
Example: A Georgia dental practice refused to provide requested records because the patient wouldn’t pay the $170 copying fee. OCR intervened and the practice ended up paying $80,000 to settle claims of failing to provide timely access and charging excessive fees.13
Solution: Ensure that your access fees meet the requirements set out in HHS guidelines, which specify that the fee may incorporate the cost of:14
- labor for copying the records;
- labor for preparing an explanation or summary of the PHI, as long as the requestor agrees in advance to receive the explanation or summary and pay the specific fee;
- supplies for creating the paper copy, e.g., paper, toner, or electronic media, e.g., CD or USB drive, as long as the individual requests that the electronic copy be provided on portable media; and
- postage, when the person requests that the information be mailed.
You can’t charge for costs related to:
- searching for and retrieving the PHI,
- maintaining systems,
- infrastructure, or
- any other expense not listed above, even if state law authorizes such costs.
6. Denying All Requested PHI because Some of It Isn’t Subject to Disclosure
Pitfall: As noted above, there are certain kinds of PHI that providers don’t have to furnish in response to an access request, such as information contained in psychotherapy notes. Problems may arise when a provider denies an entire request because part of what the individual asks for isn’t subject to disclosure.
Example: California-based Riverside Psychiatric Medical Group (RPMG) refused to provide a patient with her medical records because some of the information came from protected psychotherapy notes. The problem is that RPMG denied access to all the records requested, including the ones not shielded from disclosure. Result: It had to enter into a $25,000 settlement agreement with OCR.15
Solution: If you have grounds to deny some of the PHI a person requests, withhold that information and provide access to the rest in accordance with HIPAA rules. Also, be sure to send the requestor a timely partial denial listing the basis for withholding the other information. Failure to do this is part of why RPMG had compliance issues.
Final Takeaway: Cooperate with OCR
One of the most striking things about the Right of Access Initiative is that in almost every case, the OCR intervened to try and help the provider before initiating enforcement action. The typical dynamic:
- the patient complains to OCR;
- OCR reaches out to offer the provider technical assistance to resolve the dispute;
- the provider ignores the OCR’s recommendations, in whole or in part;
- the patient files a second complaint with OCR;
- OCR determines that the provider committed a violation; and
- the provider ends up settling the case.
Bottom Line: Proactive compliance and preventing access rights violations and disputes should be your first objective. But if you do run afoul of the rules and a patient complains, you might still be able to avoid financial penalties and CAPs by working to resolve the problem so the OCR doesn’t need to take enforcement action. Thus, if the OCR offers you technical assistance to resolve a HIPAA compliance issue, you should seize the opportunity.
Subscribe to view Essential
Start a Free Trial for immediate access to this article