HIPAA Right of Access Initiative: 2020 Year in Review

In 2020, the Office for Civil Rights (OCR) kept the promise it made the prior year to “vigorously enforce” the rights of patients to access and exercise control over their medical records. OCR has settled ten “right of access” investigations since September 2020 alone. The settlements extended across a wide range of covered entities, from large health care systems to smaller focused mental health service providers, and the settlement amounts varied widely, ranging from $3,500 to $160,000.

In addition to the monetary settlements, all the covered entities involved are subject to detailed corrective action plans (CAPs), which include one to two years of monitoring by OCR. Importantly, all of the investigations that resulted in settlements to date were initiated after the individual trying to access the records filed a complaint with OCR. In several cases, the individual made multiple complaints to OCR over time after the individual was unable to access the requested records.

A detailed summary of each settlement appears of the bottom of this post, but a key takeaway is that covered entities must respond to an individual’s access request no later than 30 days after receipt of the request. All of the settlements to date involved, at least in part, a failure to respond within that required timeframe.

Note that OCR released proposed rules yesterday that, if finalized, would implicate many of the right of access provisions below. Stay tuned for Foley’s forthcoming blog on those proposed rules.

Summary of HIPAA’s Access Right

HIPAA provides that covered entities must permit individuals to inspect and obtain a copy of their protected health information (PHI) maintained in a designated record set, with very limited exceptions. 45 CFR § 164.524. OCR has issued additional guidance on the access right, making clear the right is very broad. Considering OCR’s recent interest in enforcement in this space, covered entities should ensure their policies, procedures, and practices support individuals’ access rights in accordance with HIPAA’s requirements, including the following areas. Note that to the extent state law provides individuals with greater access rights than HIPAA, covered entities must follow the state law in addition to HIPAA.

• Timeframe for Responding. Covered entities must act on the request no later than 30 days after receipt by (i) providing the access requested, (ii) denying the request if permitted by HIPAA, or (iii) notifying the individual that an extension is needed in accordance with HIPAA’s requirements. OCR states in its access guidance that “30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible.” OCR further states that covered entities may be able to provide individuals with “almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means” and that “individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day to day operations.”
  
  
• Designated Record Set Scope. Individuals have the right to access PHI maintained in a “designated record set.” The definition of “designated record set” is broad. It includes medical records and billings records maintained by or for a provider, enrollment and payment records maintained by or for a health plan, or any other records used to make decisions about individuals, regardless of whether these records have actually been used to make decisions about the particular individual requesting access. 45 C.F.R. § 164.501. Covered entities should clearly define in the covered entity’s policies and procedures the information that is included in the “designated record set.”
  
  
• Form and Format Requested. Covered entities must provide access to PHI in the form and format requested by the individual, if readily producible in that form and format. If the PHI is not readily producible in the request form and format, the covered entity and individual will need to mutually agree on another form and format. If an individual requests a form of electronic copy that the covered entity is unable to produce, the covered entity must offer other electronic formats that are available on its systems. The covered entity can only provide a hard copy of the PHI to fulfill the request if the individual declines all the electronic formats offered by the covered entity. Note that OCR has stated that “mail and e-mail are considered readily producible by all covered entities.”
  
  
• Fees. HIPAA has very specific limitations on the fees that can be charged to individuals accessing their own PHI. Individuals can only be charged for the cost of:
  
  
  1. Labor for copying the requested PHI (whether in paper or electronic form). This does not include any labor to identify, retrieve, collect, compile, or collate the requested PHI;
  2. Supplies for creating a paper copy or responsive electronic media (e.g., CD-ROM or USB) if the individual requests access via portable media;
  3. Postage for paper copies that individuals request be mailed; and
  4. Preparation of an explanation or summary of the responsive PHI, only if such summary and cost is agreed to by the requesting individual in advance.

  Other costs cannot be charged, even if permitted by state law. Note these fee limitations do not apply to an individual’s request for a covered entity to transmit records directly to a third party.
  
  

• Written Request. Covered entities can control how individuals make access requests. For example, covered entities may require that individuals make access requests in writing, provided individuals are informed of any such requirements. Covered entities may also require individuals to make requests in the covered entities supplied form and/or offer individuals the opportunity to make requests through electronic means (e.g., via email or secure web portal). However, covered entities may not implement request requirements that create a barrier to individual’s exercising their access rights or unreasonably delay access to their PHI. 

  Note that covered entities should not require individuals to complete a full HIPAA authorization to exercise their access rights under HIPAA. Because a HIPAA authorization requests more information than is necessary, or which may be relevant, for individuals to exercise their access rights, OCR states that requiring execution of a HIPAA authorization may create impermissible obstacles to the exercise of this right.
  
  

• Right to Direct Copies to a Third Party. HIPAA’s access rights provide individuals with  the right to direct a covered entity to transmit their electronic PHI directly to a third party designated by the requesting individual. This request must be in writing, be signed by the requesting individual, and clearly identify the designated third party and the where to send the PHI.

In the words of OCR Director Roger Severino, “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously. OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.”