Home 5 Articles 5 Protect Your Lab against HIPAA Right of Access Liability Risks

Protect Your Lab against HIPAA Right of Access Liability Risks

by | Apr 29, 2022 | Articles, Compliance Perspectives-lca, Essential, Featured, Lab Compliance Advisor

Key points to educate your staff on when it comes to patient requests for test records and other protected health information.

Be sure that your lab’s medical records department responds promptly to patient requests for test records and other protected health information (PHI). While this isn’t a new requirement, it’s one of growing importance now that the HHS Office for Civil Rights (OCR) has made it a priority for Health Insurance Portability and Accountability Act (HIPAA) enforcement. Here’s a look at the liability risk and what you can do to manage it.

HIPAA Privacy Rule Access Response Rules

First, make sure your staff is clear on the right of access rules and timelines. Under the HIPAA Privacy Rule, labs and other covered entities have 30 calendar days to act on an individual’s request for access to their PHI. The clock begins ticking when you actually receive the request. If you need more time to act on the request, you can seek an extension of 30 more calendar days as long as the lab or other entity provides the requestor a written statement listing the reasons for the delay and the date by which it will complete its action in processing the request. These timelines apply even if your lab doesn’t maintain the PHI that the individual requests but instead relies on a business associate to maintain the data on your behalf. Also keep in mind that the 30-day response deadline clock starts ticking on the date the lab receives the request, rather than the date you forward the request to the business associate. Thus, by the time the business associate gets the request from you, precious time might have already been lost. Nor does your lab get an extension for negotiating with the individual on the scope or format of the request. In other words, the clock still begins on the date of receipt, rather than the date negotiations end. Compliance Pointer: Recognize that the federal HIPAA rules are minimum requirements and that states can impose shorter deadlines and more stringent requirements. So, be sure to check the rules of your own state.

The HIPAA Right of Access Initiative

Historically, the OCR, the agency in charge of enforcing the HIPAA Privacy Rule, has focused on unlawful collection, use, and disclosure, and provider efforts to keep PHI private and secure. But in April 2019, the agency announced a new enforcement initiative focusing on the rule’s right of access provisions. Less than six months later, the OCR handed down its first ever fine to a provider for failing to comply with its right of access obligations. By January 2021, total right of access fines reached 14. Change in administration hasn’t resulted in change of enforcement policy. The Biden administration OCR has now issued 13 right of access fines, including a whopping $160,000 penalty, tied for the second biggest under the initiative. The momentum has continued with two more right of access fines issued in March, bringing the total to 27. Here’s a Scorecard of all announced settlements to date.

OCR Right of Access Initiative Settlements Scorecard (as of April 8, 2022)

ProviderSettlement Amount*Allegations
Banner Health ACE$200,000OCR cites two occasions in which Phoenix-based not-for-profit health system took about 6 months to provide patients their requested PHI
Rainrock Treatment Center, LLC dba Monte Nido Rainrock$160,000Florida eating treatment disorder took more than 8 months to fulfill patient’s request for a copy of her medical records
St. Joseph’s Hospital and Medical Center$160,000Phoenix hospital refused to provide PHI to patient’s mother even though she was his legal representative
Dr. Robert Glaser$100,000New York cardiovascular disease and internal medicine doctor didn’t cooperate with OCR’s investigation or respond to its data requests after not providing patient a copy of their medical record
NY Spine Medicine$100,000Neurology practice refuses patient’s multiple requests for copies of specific diagnostic films
Bayfront Hospital$85,000Florida hospital didn’t provide expectant mother timely access to the PHI of her unborn child
Korunda Medical$85,000After first refusing to provide it at all, Florida primary care and interventional pain management services provider sent patient’s PHI to third party in the wrong format and charged him excessive fees
Children’s Hospital & Medical Center$80,000Nebraska hospital failed to provide mother of minor patient timely access to her daughter’s medical records, despite repeated requests
Renown Health, P.C.$75,000Nevada private, not-for-profit health system didn’t timely honor patient’s request to transfer her EHR and billing records to a third party
Sharp Rees-Stealy Medical Centers$70,000California hospital and health care network didn’t timely honor request to transfer patient’s EHR to a third party
Beth Israel Lahey Health Behavioral Services$70,000Massachusetts provider ignored request of personal representative seeking access to her father’s PHI
Arbour Hospital$65,000Massachusetts mental health services provider kept patient waiting 5 months before granting access to his PHI
University of Cincinnati Medical Center, LLC$65,000Ohio academic medical center failed to respond to patient’s request to send an electronic copy of her medical records maintained in its electronic health record EHR to her lawyers
Housing Works Inc.$38,000New York City non-profit services provider refused patient’s request for a copy of his medical records
Peter Wrobel, M.D., P.C., dba Elite Primary Care$36,000Georgia primary care practice failed to provide patient access to his medical records
*Advanced Spine & Pain Management$32,150Ohio pain services provider took nearly 4 months to provide patient requested medical records
Dr. Donald Brockley, D.D.M$30,000Pennsylvania solo practitioner dentist failed to provide a patient a copy of their medical record
Denver Retina Center$30,000Colorado ophthalmological services provider took 8 months to provide requested medical records and lacked compliant access policies
Village Plastic Surgery$30,000New Jersey practice failed to provide patient timely access to his medical records
Jacob and Associates$28,000Psychiatric practice with two offices in California failed to provide a patient requested access to her medical records, ignoring her annual requests for five years in a row
Riverside Psychiatric Medical Group$25,000California medical group didn’t provide patient copy of her medical records despite repeated requests and OCR intervention
Dr. Rajendra Bhayani$15,000NY physician didn’t provide patient her medical records even after OCR intervened and closed the complaint
All Inclusive Medical Services, Inc.$15,000California multi-specialty family medicine clinic refused patient’s requests to inspect and receive a copy of her records
Wake Health Medical Group$10,000North Carolina primary care provider never furnished requested records despite charging patient $25 access fee
Wise Psychiatry, PC$10,000Colorado psychiatric firm refused to provide personal representative access to his minor son’s medical record
Diabetes, Endocrinology & Lipidology Center, Inc. $5,000West Virginia diabetes clinic made the mother of a minor patient wait nearly 2 years for access to his medical records
King MD$3,500Virginia psychiatric practice didn’t provide patient access to her medical records even after OCR intervened, provided technical assistance, and closed the complaint
*In addition to the monetary settlement, each accused provider had to agree to implement a corrective action plan and allow the OCR to conduct close monitoring for one to two years

Preventing Liability

The key to protecting your own lab from liability is to educate your staff on how and when to respond to patient and OCR PHI access requests. Being sure that people who receive requests understand the timelines and urgency involved is part of the solution. Another best practice is to prepare staffers to field patient questions about their access rights. “Record access disputes are often the product of miscommunication and patient misunderstanding over what they are and are not entitled to expect,” notes a Washington, DC, HIPAA compliance consultant who asked to remain nameless. One effective strategy is to prepare a script of patient FAQs and how to respond to each of them, like the Model Script on page 12 and the Laboratory Compliance Advisor webpage.

Implementation Strategy

Give copies of the script to front line staff who routinely field patient PHI access questions, including any person who has face-to-face, phone, or remote contact with patients. Warn staffers not to panic or freelance an answer if and when a patient asks a tough question that the script doesn’t address but instead refer the question to your lab’s privacy officer or other privacy contact, which should be listed on your Notice of Privacy Practices (NPP).

Subscribe to view Essential

Start a Free Trial for immediate access to this article