HIPAA Right of Access

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

HIPAA Right to Access Initiative is Alive & Well

In 2019 we witnessed the Office for Civil Rights (OCR) make it public that they were going to up their efforts when it came to enforcing the rights of an individual to access their health records. This is known as the HIPAA Right of Access initiative. While the global pandemic did throw a bit of a curveball to anything planned, a recent announcement of five cases being resolved gives confirmation that while things may not have gone entirely as planned, the HIPAA Right of Access initiative continued.

The initiative was created to support a patient’s right to time and cost-effective access to their health records. This is of course essential for a variety of reasons for an individual to maintain their well-being, but even that aside, it is the law.

What Happened?

The five settlements that were announced recently focused on enforcing the HIPAA Right of Access and included civil monetary payments. Advanced Spine & Pain Management (ASPM) had to pay $32,150 and agree to two years of monitoring that is part of a structured Corrective Action Plan (CAP). This is the result of an individual alleging that ASPM did not provide him with his protected health information (PHI) in a timely manner after requesting it in writing on November 25, 2019. They did provide the PHI – but not until March 19, 2020.

Denver Retina Center (DRC) had to pay $30,000 and work with a CAP that includes one year of monitoring. This was a result of a patient requesting her records in December of 2018 but not receiving them until July 26, 2019, per FedEx records. A previous complaint had been filed in March of 2018 and with technical assistance from HHS to DRC, it was initially resolved. However, the resolution was temporary as a further investigation (after the subsequent complaints) led to HHS concluding that the provider did not have compliant access procedures as required under the HIPAA Privacy Rule.

Rainrock Treatment Center (dba Monte Nido Rainrock) in Springfield Oregon had to pay $160,000 and take corrective action when they ignored repeated requests from a patient in 2019. The records were received in March of 2020, but only after three separate complaints had been filed with HHS. The required CAP will address their right of access procedures and policies which must be revised.

Dr. Robert Glaser is a cardiovascular disease and internal medicine doctor in New Hyde Park, New York. OCR found him to be uncooperative and unresponsive to their data requests and he now faces a $100,000 civil monetary penalty. A patient requested several times by both verbal and written requests to obtain their medical records for 2013 and 2014. A complaint was filed in 2017 with the HHS following up in a letter for Glaser to provide the information. In 2018 after the request was still not fulfilled, the patient filed a second complaint and the OCR followed up, and Glaser was nonresponsive.

After a patient request in June of 2019 (along with a $25 fee) was left unfulfilled, Wake Health Medical Group has been issued a fine of $10,000 and requirements to undergo a CAP to settle a potential HIPAA violation. As per the latest updates, the patient has still not received the requested medical records.

Each of these is different fines and corrective action plan terms, but they are all a result of a healthcare entity not putting priority on the patient’s request for their information. You’ll also notice that they are identified as “potential” violations because these cases are considered settlements, with none of the parties admitting to wrongdoing.

There are many myths around the HIPAA Right of Access, but it’s important to know that this initiative is not going away, and OCR will continue its enforcement efforts moving forward.

This article was originally published on HIPAA Secure Now! and is republished here with permission.