Ongoing Right of Access Issues

By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure

Apparently the Office for Civil Rights does still have older resolved HIPAA concerns in its hopper to release. The latest release about a civil monetary penalty continues the ongoing enforcement focus on the right of access. As has been seen with a few of the recent announcements, the imposition of a CMP means there is a bit more detail to dig into.

The Situation

The CMP was imposed against Oregon Health & Science University (OHSU), which is an academic health center that operates, among other things, two hospitals and a number of clinics. Given that OHSU runs hospitals and clinics, it should be no surprise that it holds protected health information about a lot of patients.

The issue in this instance involved multiple requests for records submitted by a personal representative of the affected party. The affected party, as referenced by OCR, was an individual that received healthcare services at OHSU. The personal representative had authority to act on the affected party’s behalf under a health care power of attorney. The relationship and authority of the individuals was not in question and no objection as to the ability of the personal representative to make the request for access was raised.

The affected individual also retained an attorney at some point in time in connection with a civil matter. It is not stated whether the civil matter involved OHSU, though that fact wouldn’t necessarily impact the ability to request records. Ultimately, the attorney became the complainant that notified OCR of the access issues.

The timeline of actions is where things get problematic. Here’s the breakdown of activities reported in the Notice of Proposed Determination:

  • April 14, 2019 – The personal representative faxed a request for the affected individual’s records to OHSU and asked that an electronic copy be sent to a designated email address. There was no dispute that the request satisfied applicable requirements under HIPAA.
  • April 29, 2019 – OHSU’s business associate, Diversified Business Services (DBS), provided some but not all of the requested records. Remember DBS because the name will come back later.
  • November 12, 2019 – The affected individual’s attorney faxed another written request for records to OHSU and noted that the records should be provided to the attorney. Again, there was no dispute as to the validity of the request.
  • November 12, 2019 – OHSU assigned the request to DBS.
  • November 21, 2019 – The attorney received notification (presumably from DBS) that the request for access was denied because the request did not contain a date. OHSU subsequently admitted that the denial was in error.
  • November 22, 2019 – The attorney submitted a follow up request for the affected individual’s records. The request was again sent by fax to OHSU. This request was denied because an invoice for the records request was not paid. As with the immediately previous request, OHSU subsequently admitted that the denial was in error.
  • May 5, 2020 – The personal representative re-entered the picture with a request for the affected individual’s records.
  • May 20, 2020 – The attorney also sent in another request for records. The request sought the same records as the November 22, 2019 request. At the same time, the attorney filed a complaint with OCR that the requests for access were not being responded to in an appropriate manner.
  • May 29, 2020 – As with the previous request from the personal representative, OHSU provided some, but not all of the requested records.
  • July 24, 2020 – The attorney sent yet another request to OHSU, which OHSU, again, admitted was denied in error.
  • September 2, 2020 – OCR closed the May 20, 2020 complaint by providing technical assistance to OSHU on how to respond to a request for access. The technical assistance was provided directly to OHSU. The letter was sent to and receipt was acknowledged by OHSU’s Privacy Officer.
  • January 27, 2021 – The attorney for the affected individual submitted a second complaint to OCR. The complaint stated that a complete set of records had yet to be provided by OHSU.
  • August 12, 2021 – OCR notified OHSU of the second complaint. Why was notification delayed for 8 months? Also, did the attorney, personal representative, or affected individual have any interaction with OHSU in the interim? None of those questions are answered, but would certainly be interesting to get insight on.
  • August 26, 2021 – OHSU finally provides all of the requested records.
  • April 1, 2020 – OCR notified OHSU of the results of the investigation that stemmed from the complaints and lack of action by OHSU. The letter included an offer to settle the matter informally.
  • July 24, 2023 – OCR issued a Letter of Opportunity that gave OHSU a chance to submit written evidence of mitigating factors related to OCR’s determinations.
  • September 19, 2023 – OHSU tendered its response.

Claimed Affirmative Defenses

Based on the summary from OCR, OHSU tried presenting two different affirmative defenses. The first affirmative defense appears to claim that the alleged violation was not the result of willful neglect and corrected within 30 days of OHSU knowing of the issue. Going back to the facts, the correction within 30 days seems to connect to OHSU finally providing all of the requested records within 30 days of OCR informing OHSU of the second complaint.

However, OCR did not buy that defense. Instead, OCR pointed to the technical assistance provided almost a year earlier that likely provided OHSU detailed information on how to appropriately respond to a request. A full response clearly did not happen in September 2020 as the recitation of facts makes it clear that the full records were only provided in late August 2021. In denying the defense, OCR takes the position that OHSU should have known about its full obligations following provision of the technical assistance. It is hard to argue with that point.

The second affirmative defense involved pointing the finger at DBS. As noted above, the name DBS had to be remembered because it was a vendor used by OHSU to respond to requests for access. Use of outside vendors in that capacity is common in healthcare. Responding to requests can admittedly be time-consuming and potentially voluminous. A cottage industry exists to support health systems and other healthcare organizations to pull and provide records.

Since OHSU relied on DBS’s support to respond to requests, OHSU asserted that the lack of timely response was really a problem for DBS. Again, OCR did not accept the defense. OCR pointed to the plain language of the HIPAA Privacy Rule that puts primary responsibility on covered entities to honor the individual rights created under the Privacy Rule.

While a covered entity can delegate those responsibilities to a business associate, the covered entity is still liable for violations. There could be some liability shifting in the contractual relationship between OHSU and DBS, but that does not factor into the actions taken by OCR. A reminder was given that a business associate is an agent of the covered entity and the covered entity should be monitoring the compliance of its business associates.

The defense does raise an interesting point of whether OCR investigated DBS and its practices at all. A business associate can be directly liable to OCR for its own actions, so presumably it would be helpful for OCR to investigate and pursue enforcement against a business associate when it is directly involved in instances of alleged non-compliance.

The Takeaways

The first takeaway is one that has been covered before. When OCR comes in with technical assistance, listen to that assistance. OCR was clearly annoyed that OHSU did not act upon the technical assistance that was provided to ostensibly let the matter go away without punitive action being taken.

It is worth remembering that CMPs and settlements occur in a small fraction of the complaints and issues that OCR investigates. That means the vast majority of issues are resolved by organizations listening to the advice and assistance provided by OCR. If it is that easy to avoid having to suffer financially from an issue, why not listen?

The second takeaway is that a covered entity is responsible for everything that happens with the protected health information it holds or that its business associates hold. That is also relatively clear in the regulations and why the covered entity retains authority to respond or direct actions on requests.

At the same time, a covered entity does not have to handle all of the required activities on its own. That is where business associates enter the picture. The definition of a business associate helps underscore that the covered entity is ultimately responsible though. A business associate handles PHI for or on behalf of a covered entity. The business associate is not interacting with PHI for its own benefit. It all relates back to the covered entity. That is arguably why the regulations under HIPAA have the covered entity retain liability in all actions.

It is an important distinction to remember. It is also likely why many business associate agreements include provisions addressing division of liability, which is not a concept set forth in the HIPAA regulations. Instead, dividing liability is a private contractual matter to be resolved by the involved parties.

Further, OHSU’s settlement is a reminder for all covered entities to understand how business associates are doing in complying with HIPAA and the terms of arrangements between the parties. Pointing the finger will not work with the government.

Conclusion

Aside from listening to advice from OCR, the biggest action that the OHSU settlement will hopefully inspire is attention to details in the relationships between covered entities and business associates. An agreement cannot be set and forgotten. Willful or unintentional blind spots are not a defense. Not paying attention could also create friction with patients because the patient will usually think they are interacting with the covered entity and hold a grudge there, not with the business associate.

This article was originally published on The Pulse blog and is republished here with permission.