HIPAA Right of Access Initiative: 2020 Year in Review
In 2020, the Office for Civil Rights (OCR) kept the promise it made the prior year to “vigorously enforce” the rights of patients to access and exercise control over their medical records. OCR has settled ten “right of access” investigations since September 2020 alone. The settlements extended across a wide range of covered entities, from large health care systems to smaller focused mental health service providers, and the settlement amounts varied widely, ranging from $3,500 to $160,000.
In addition to the monetary settlements, all the covered entities involved are subject to detailed corrective action plans (CAPs), which include one to two years of monitoring by OCR. Importantly, all of the investigations that resulted in settlements to date were initiated after the individual trying to access the records filed a complaint with OCR. In several cases, the individual made multiple complaints to OCR over time after the individual was unable to access the requested records.
A detailed summary of each settlement appears of the bottom of this post, but a key takeaway is that covered entities must respond to an individual’s access request no later than 30 days after receipt of the request. All of the settlements to date involved, at least in part, a failure to respond within that required timeframe.
Note that OCR released proposed rules yesterday that, if finalized, would implicate many of the right of access provisions below. Stay tuned for Foley’s forthcoming blog on those proposed rules.
Summary of HIPAA’s Access Right
HIPAA provides that covered entities must permit individuals to inspect and obtain a copy of their protected health information (PHI) maintained in a designated record set, with very limited exceptions. 45 CFR § 164.524. OCR has issued additional guidance on the access right, making clear the right is very broad. Considering OCR’s recent interest in enforcement in this space, covered entities should ensure their policies, procedures, and practices support individuals’ access rights in accordance with HIPAA’s requirements, including the following areas. Note that to the extent state law provides individuals with greater access rights than HIPAA, covered entities must follow the state law in addition to HIPAA.
- Timeframe for Responding. Covered entities must act on the request no later than 30 days after receipt by (i) providing the access requested, (ii) denying the request if permitted by HIPAA, or (iii) notifying the individual that an extension is needed in accordance with HIPAA’s requirements. OCR states in its access guidance that “30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible.” OCR further states that covered entities may be able to provide individuals with “almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means” and that “individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.”
- Designated Record Set Scope. Individuals have the right to access PHI maintained in a “designated record set.” The definition of “designated record set” is broad. It includes medical records and billings records maintained by or for a provider, enrollment and payment records maintained by or for a health plan, or any other records used to make decisions about individuals, regardless of whether these records have actually been used to make decisions about the particular individual requesting access. 45 C.F.R. § 164.501. Covered entities should clearly define in the covered entity’s policies and procedures the information that is included in the “designated record set.”
- Form and Format Requested. Covered entities must provide access to PHI in the form and format requested by the individual, if readily producible in that form and format. If the PHI is not readily producible in the request form and format, the covered entity and individual will need to mutually agree on another form and format. If an individual requests a form of electronic copy that the covered entity is unable to produce, the covered entity must offer other electronic formats that are available on its systems. The covered entity can only provide a hard copy of the PHI to fulfill the request if the individual declines all the electronic formats offered by the covered entity. Note that OCR has stated that “mail and e-mail are considered readily producible by all covered entities.”
- Fees. HIPAA has very specific limitations on the fees that can be charged to individuals accessing their own PHI. Individuals can only be charged for the cost of:
- Labor for copying the requested PHI (whether in paper or electronic form). This does not include any labor to identify, retrieve, collect, compile, or collate the requested PHI;
- Supplies for creating a paper copy or responsive electronic media (e.g., CD-ROM or USB) if the individual requests access via portable media;
- Postage for paper copies that individuals request be mailed; and
- Preparation of an explanation or summary of the responsive PHI, only if such summary and cost is agreed to by the requesting individual in advance.
Other costs cannot be charged, even if permitted by state law. Note these fee limitations do not apply to an individual’s request for a covered entity to transmit records directly to a third party.
- Written Request. Covered entities can control how individuals make access requests. For example, covered entities may require that individuals make access requests in writing, provided individuals are informed of any such requirements. Covered entities may also require individuals to make requests in the covered entities supplied form and/or offer individuals the opportunity to make requests through electronic means (e.g., via email or secure web portal). However, covered entities may not implement request requirements that create a barrier to individual’s exercising their access rights or unreasonably delay access to their PHI.
Note that covered entities should not require individuals to complete a full HIPAA authorization to exercise their access rights under HIPAA. Because a HIPAA authorization requests more information than is necessary, or which may be relevant, for individuals to exercise their access rights, OCR states that requiring execution of a HIPAA authorization may create impermissible obstacles to the exercise of this right.
- Right to Direct Copies to a Third Party. HIPAA’s access rights provide individuals with the right to direct a covered entity to transmit their electronic PHI directly to a third party designated by the requesting individual. This request must be in writing, be signed by the requesting individual, and clearly identify the designated third party and the where to send the PHI.
In the words of OCR Director Roger Severino, “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously. OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.”
| # | Settlement Date | Alleged Violation(s) | Summary of Facts | Settlement |
| 1 | Sept 2019 | - Timely Access | - Failed to provide a mother timely access to records about her unborn child. - Records were provided > 9 months after initially requested. - Access right “extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child.” |
$85,000 + CAP w/ 1 year of monitoring |
| 2 | Dec 2019 |
- Timely Access |
- Failed, despite repeated requests, to timely provide a patient’s medical records to a third party in the requested electronic format. - Charged more than the reasonable cost-based fees allowed under HIPAA. - OCR provided assistance on how to correct issue and closed the complaint. - Records provided 2 months later after OCR’s second intervention. |
$85,000 + CAP w/ 1 year of monitoring |
| 3 | Sept 2020 | - Timely Access | - Failed to provide a patient with copies of his medical records. - OCR provided technical assistance and closed the complaint. - OCR received second complaint that patient had still not received his records. - Records provided 4 months later. |
$38,000 + CAP w/ 1 year of monitoring |
| 4 | Sept 2020 | - Timely Access | - Denied a patient’s requests to inspect and receive a copy of her records. - Sent patient records 16 months later after OCR opened an investigation. |
$15,000 + CAP w/ 2 years of monitoring |
| 5 | Sept 2020 | - Timely Access | - Failed to respond to request from a personal representative seeking access to her father's medical records. - Records provided 8 months later after OCR opened an investigation. |
$70,000 + CAP w/ 1 year of monitoring |
| 6 | Sept 2020 | - Timely Access | - Failed to respond to an individual's request for access to her medical records. - OCR provided technical assistance and closed the complaint. - OCR received second complaint that patient had still not received her records. - Individual received her medical records 23 months later. |
$3,500 + CAP w/ 2 years of monitoring |
| 7 | Sept 2020 | - Timely Access | - Failed to provide a personal representative with access to his minor child’s medical records requested. - OCR provided technical assistance and closed the complaint. - OCR received second complaint that the personal representative had still not received the records. - Records sent 18 months later. |
$10,000 + CAP w/ 1 year of monitoring |
| 8 | Oct 2020 | - Timely Access | - Failed to provide a personal representative with access to minor child’s medical records beginning in January 2018. - Provided some of the requested records, but not all of them despite the personal representative’s follow up requests in March, April, and May 2018. - All requested medical records provided in December 2019, more than 22 months after the initial request. |
$160,000 + CAP w/ 2 years of monitoring |
| 9 | Oct 2020 | - Timely Access | - Individual made multiple requests for a copy of her medical records. - Provided some of the records, but did not provide the diagnostic films specifically requested. - All requested medical records provided 16 months after the initial request. |
$100,000 + CAP w/ 2 years of monitoring |
| 10 | Nov 2020 | - Timely Access - Proper Denial of Access to Psychotherapy Notes |
- Failed to provide patient a copy of her medical records despite multiple requests. - OCR provided technical assistance and closed the complaint. - OCR received second complaint that patient had still not received the records. - Covered entity stated that because the requested records included psychotherapy notes, it did not have to comply with the access request. - However, entity did not follow HIPAA’s requirements for denying access to the applicable records and did not provide access to all other requested records. - All requested medical records, minus psychotherapy notes, were provided to the patient 20 months after the initial request. |
$25,000 + CAP w/ 2 years of monitoring |
| 11 | Nov 2020 | - Timely Access | - Failed to provide a patient with access to her medical records. - OCR provided technical assistance and closed the complaint. - OCR received second complaint that patient had still not received the records. - All requested medical records provided 26 months after the initial request. |
$15,000 + CAP w/ 2 years of monitoring |
| 12 | Nov 2020 | - Timely Access - Transmission to Third Party - Form/Format |
- Failed to timely provide a patient’s medical records to a third party in the requested electronic format. - Rights include the right to have electronic records timely transmitted to a third party. - Investigation determined that the covered entity failed to timely provide records per the request. - Records received 6 months after the initial request. |
$65,000 + CAP w/ 2 years of monitoring |
