Why HIPAA Right of Access Should Move Up Your Organization’s HIPAA Priority List

HIPAA Privacy Officers spend a lot of time and resources on making sure workforce members are not violating the use and disclosure requirements of the HIPAA Privacy Rule. However, it is also important for organizations to ensure that they are compliant with the HIPAA right of access requirements. In the 2020 HIPAA Compliance Benchmark Survey, fulfilling patient requests for their records was listed as either the first, second, or third priority for less than 10 percent of the respondents. However, this has become an area of enforcement focus for Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in the past year. In early 2019, OCR announced its HIPAA Right of Access Initiative, which focuses on enforcement of the rights of patients and their personal representatives to request inspection or copies of their protected health information (PHI) held by covered entities.

OCR has followed up on the announcement of this initiative with enforcement actions. Over the past year, OCR has announced nine enforcement actions specifically regarding the HIPAA right of access. All the enforcement actions were implemented due to a failure of a covered entity to complete a request for access to medical records within 30 days. In many of the investigations, OCR provided technical assistance to the covered entities, but the covered entities failed to fulfill the request even after the assistance. These nine cases all concluded with the covered entities settling the allegations with OCR, paying fines of $3,500-$160,000, and entering two-year corrective action plans.

Therefore, it is important for covered entities to make sure they are complying with the right of access requirements. Some steps covered entities can take include the following:

1. Make sure the organization has a clear policy and procedure on how to fulfill requests. The procedures for release of medical records should strike a balance between safeguards to ensure the correct person is getting the records and relatively easy requirements for the requesting individual. For example, requiring the individual to provide a copy of a driver’s license to prove identity can lead to improper barriers for some patients and delays in processing. Drafting and implementing these procedures usually requires strong collaboration between the privacy officer and the health information management department or medical records department.
2. The privacy office or compliance office should conduct audits on release of records to ensure requests are being fulfilled and that they are being fulfilled within the required timeframe.
3. The privacy team should work with the IT security team to ensure that individuals charged with completing access requests can and know how to locate all record sets containing PHI.
4. Organizations should ensure they have a mechanism (such as a well-advertised helpline) for patients to follow up on requests for records. Organization should respond to such calls immediately so requests can be fulfilled in a timely manner.
5. Covered entities should ensure that appropriate terms are included in a business associate agreement (BAA) if the organization uses a third party to handle medical records or there is PHI held exclusively by a business associate. The BAA should include terms requiring the business associate to fulfil the covered entity’s requests for records in fewer than 30 days.
6. Organizations should educate workforce members on the right of access as part of HIPAA training. Lots of organizations focus their HIPAA training on preventing improper uses and disclosures, but there should also be training on the right of access. Although providers may not always be responsible for giving the records directly to patients, they should be able to direct patients on how they can request their records.

A full briefing and conversation on all the 2020 HIPAA Compliance Benchmark Survey results will be presented by Lisa Shuman and Alexis Rose, of Strategic Management Services, on Thursday, October 22^nd, at 2:00pm EDT. Participants will be given a copy of the full report. Registration is open to everyone at no charge.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.