By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The Office for Civil Rights (OCR) continues to dig into reports about delayed access to records by covered entities. The initial flurry of resolutions from many years ago now has not necessarily resulted in a significant change of behavior, which is frankly a bit surprising. OCR’s position on the issue is not a mystery at this point in time and the right of access portion of the Privacy Rule is pretty clear on obligations. With all of that in mind, the most recent penalty imposed by OCR offers a bit more transparency than usual into the process because it was a civil monetary penalty as opposed to a mutual resolution.
The Setup
The most recent determination involves American Medical Response (AMR), which is an emergency response company. Really a fancy way of saying that it is an ambulance company. As an ambulance company AMR is a covered entity, which means it has to fully comply with all of the requirements set out in HIPAA’s various rules, including the right of access.
So what happened? As reported by OCR in its Notice of Proposed Determination, which apparently was not contested, an individual submitted a request for a copy of their records in electronic form by fax on October 31, 2018. The request asked for what seems like a copy of everything that AMR might have held about the individual. The fax was sent to AMR’s Seattle office. The individual received a fax transmission report confirming AMR’s receipt of the request.
As what seems like a precaution, the individual sent a physical written request to AMR’s Seattle office by certified mail on November 8, 2018. The confirmation of delivery occurred on November 13, 2018. That meant there were two compliant requests delivered with receipt confirmed.
Months went by without a response, As a result, the individual sent two follow up requests on January 24, 2019. One request was sent by certified mail to AMR’s Los Angeles office. The other request was sent by fax to Centrex, an entity identified as one of AMR’s business associates. Receipt was confirmed on January 24, 2019.
The records were still not produced. However, AMR did finally respond on March 1, 2019. Instead of providing the record though, AMR sent an invoice that it stated had to be paid before the records would be provided. The individual through their attorney responded on March 18, 2019 reminding AMR that the request for access had been sent and if no records were provided, then a complaint would be filed with OCR.
The complaint was filed with OCR on July 29, 2019. OCR launched its investigation with a data request to AMR on October 9, 2019. Subsequent to the launch of the investigation, AMR finally provided the requested records on November 5, 2019.
The Findings
The factual background does not paint a great picture for AMR. The process for handling requests for access implemented by AMR gives a bit more insight. At the time of the initial request and OCR’s investigation, AMR required individuals to be sent requests to its Seattle office. The Seattle office would then send the requests to AMR’s Los Angeles office. The Los Angeles office would then send the request to Centrex, a business associate, to actually process the request. The multiple step process should seem overly complex.
AMR reportedly changed its process in response to OCR’s investigation. The notice does not detail the changes, but only says that the process was streamlined.
After the findings, OCR offered AMR the opportunity to respond. OCR does not reveal the contents of the response other than to say that it found the response did not present any actual challenge to OCR’s findings. The only pushback seemed to be that AMR did not act with willful neglect and that AMR timely corrected the problem. Unsurprisingly, OCR did not agree. OCR noted that the specific request issue was not corrected for 370 days and it only occurred as a result of the investigation.
Following delivery of the Notice of Proposed Determination on October 4, 2023, AMR chose to waive any appeal rights. At the end of the day, the final determination imposed a $115,200 penalty on AMR for its failure to respond.
Lessons
As usual, there are some lessons to take away from the settlement. The first and most important is to review the process for ingesting and responding to requests for access. Is the process overly complicated and likely to let requests slip through the cracks? Are there too many unnecessary steps where confusion can occur? If the answers is yes or unclear, then the process should be revised. Implementing a clear, understandable process is very important. The process should be clear both for internal and external individuals.
Another component that only warranted a brief mention in the settlement was AMR’s attempt to require payment in advance before the records would be provided. That’s a bit contrary to OCR’s guidance on how to respond to requests for access, especially when the request is for data in an electronic form. The scope of the fee that can be imposed will usually be fairly modest. That suggests thinking through what goes into the determination of the fee and when it should be presented.
Finally, as always, another lesson is to take advice from OCR seriously. The recitation of facts by OCR carries the implicit frustration that AMR did not believe the issues that OCR was presenting. Ignoring or not timely following guidance advice can be problematic when those statements are coming from the agency in charge of enforcing a regulation.
Conclusion
The penalty imposed on AMR is only the latest in the string of request for access settlements and penalties. The spotlight is not going away from this issue, so all organizations are well advised to constantly review and assess how responses are going.
This article was originally published on The Pulse blog and is republished here with permission.