HIPAA: Second Settlement this Year Related to Right to Access Initiative

On December 12, 2019, the Office for Civil Rights (OCR) announced its second enforcement action this year related to an individual’s right to access his/her protected health information (PHI). Korunda Medical, LLC (Korunda) settled with OCR for $85,000 for a potential violation of HIPAA’s Right of Access Initiative, designed to ensure covered entities are providing individuals with access to their PHI in accordance with HIPAA’s requirements.

In March 2019, OCR received a complaint from a Korunda patient alleging that Korunda failed to timely forward the individual’s PHI in an electronic format to a third party. In addition to Korunda’s delay in providing access to the PHI, Korunda did not provide access in the format requested, and charged more than a reasonable cost-based fee.

OCR first attempted to provide Korunda technical assistance on how to afford proper access to the individual in an attempt to close the complaint. After Korunda’s continued failure to provide the proper access in a timely manner, a second complaint was made to OCR, at which time OCR opened an investigation into Korunda’s HIPAA compliance.

The Korunda settlement is OCR’s second enforcement of the Right of Access Initiative, with the first also resulting in a $85,000 settlement. In a press release from OCR announcing the Korunda settlement, OCR’s Director Roger Severino, stated, "For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law."

In the wake of OCR’s enforcement actions involving individuals’ right to access his/her PHI, covered entities should carefully review HIPAA’s right to access requirements, including OCR’s Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 guidance. We have summarized certain of the requirements here:

Timeframe for Response: The covered entity must permit the individual to inspect and/or obtain a copy of the individual’s PHI maintained in a designated record set (or deny access where permitted) no later than 30 days after receiving the individual’s request. OCR states the “30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible.” HIPAA provides an option to extend the time by an additional 30 days if proper procedures are followed (including the requirement to inform the individual of the reason for the delay).
Form and Format of the PHI: PHI must be provided in the form and format requested by the individual, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual. Note that OCR states that email is considered readily producible by all covered entities. If an individual requests transmission by unsecured email, the covered entity should warn the individual of the risks of transmitting PHI in an unsecured manner and generally speaking, the covered entity is not responsible for disclosure of PHI while in transmission if individual still wants the PHI transmitted in an unsecured manner, after being warned.
Format of Individual’s Request: A covered entity may require individuals to request access in writing, and may require use of the covered entity’s form, as long as the covered entity informs individuals of this requirement in advance (e.g., in the Notice of Privacy Practices) and it does not create a barrier to or unreasonably delay the individual from obtaining access to the PHI. Note that covered entities cannot require individuals to fill out a full HIPAA authorization to obtain access to his/her own records, as OCR has stated this would be an impermissible barrier to access.
Right to Direct Copy of PHI to a Third Party: An individual also has a right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual. The individual’s request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI. This is still considered an “access” request and is subject to the all requirements for responding to an individual’s access request, such as the fee limitations below. Where it is unclear, based on the form of a request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to the third party, the covered entity should clarify with the individual whether the request was a direction from the individual or a request from the third party.
Fees: HIPAA strictly limits the fees that individuals may be charged for access to PHI. The fee charged may include only the cost of: (1) labor for copying the PHI once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive), if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual in advance. Fee may not include costs associated with verification; documentation; searching for or retrieving PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed in (1) – (4). Individuals must be informed in advance of approximate fee that may be charged.

In addition to Korunda’s $85,000 settlement, Korunda also entered into a Corrective Action Plan (CAP) with OCR, which requires Korunda to submit information to OCR every 90 days regarding all access requests received, and supporting documentation for any denied requests for access, during the one year term of the CAP. Korunda also must update its HIPAA policies and procedures and provide HIPAA training to workforce members.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.