Health Information Compliance Alert

Case Study:

Will HIPAA Right of Access Cases Trend Up in 2021?

Expect some change under a new administration.

From cybersecurity woes to policy turnarounds to a pandemic, covered entities (CEs) had a lot to deal with in 2020. However, one thing remained relatively steady last year — HIPAA Right of Access enforcement. Yet, just because 2020 saw an uptick of cases, that doesn’t necessarily signal that 2021 will be as busy.

Background: In 2019, the HHS Office for Civil Rights (OCR) announced its HIPAA Right of Access Initiative and followed that announcement with its first case in September of that year (see Health Information Compliance Alert, Vol. 19, No. 9). The OCR continued to settle case after case over the next 15 months with its 13th HIPAA Right of Access settlement on Dec. 22, 2020.

Details: In the final case of last year, OCR settled an April 2019 complaint from a patient concerning his requests to access his medical records. Peter Wrobel, MD, PC, of the Georgia-based Elite Primary Care “agreed to take corrective actions and pay $36,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard,” notes an agency release. The patient eventually received his records in May 2020.

“OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records. Healthcare providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee,” said OCR Director Roger Severino in a release on the last case of 2020.

Don’t Forget About the D.C. Court Decision

Even a controversial court case couldn’t circumvent OCR’s record-breaking enforcement.

Reminder: A 55-page ruling in January 2020 by Washington, D.C. Federal District Court Judge Amit Mehta sowed more confusion for CEs and their business associates (BAs) on Right of Access matters. The court’s decision pertained to a 2018 case between Ciox Health LLC and the Department of Health & Human Services (HHS) on the transmittal of patients’ protected health information (PHI) and data transfer costs (see Health Information Compliance Alert, Vol. 20, No. 2).

This case didn’t impede the agency’s fervor on patients’ rights to access their health data, nor did the COVID-19 public health emergency (PHE) slow down the caseload. In fact, the ruling has added more concern than clarification for CEs on the issue, suggests HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. Understanding the changes “has been complicated by the court decision that limits the applicability of the rules for limits on fees for individual access, depending on the recipient and the information format, electronic or paper,” he says.

Register These Settlement Logistics

Clearly, Right of Access has been at the top of the OCR’s to-do list over the past year. The settlements ran the gamut from small firms to larger organizations and included issues related to timely access to PHI, third-party transmission, and records’ costs, suggesting that no one is exempt from federal scrutiny.

All of the Right of Access enforcements outline case-specific penalties and include corrective action plans (CAPs) for the CEs. The settlements ranged from $3,500 for a 2018 records’ request issue at King MD, a small Virginia psychiatric services provider, to $160,000 over multiple requests by a mother for her son’s records at St. Joseph’s Hospital and Medical Center in Phoenix.

Time factored heavily in the penalties as well, indicate attorneys Jennifer J. Hennessy, Chloe B. Talbert, and Jennifer L. Urban with international law firm Foley & Lardner LLP in online legal analysis.

“A key takeaway is that covered entities must respond to an individual’s access request no later than 30 days after receipt of the request. All of the settlements to date involved, at least in part, a failure to respond within that required timeframe,” Hennessy, Talbert, and Urban write.

Because OCR’s enforcement encompassed such a wide range of entities and issues over individuals’ access to their records this past year, the actions “leave little doubt as to the breadth and applicability of the rules,” says Sheldon-Dean. “It should be clear by now that providing patient access is not going to go away, and that not following the rules can be expensive, with penalties tailored to cause pain for a variety of sizes and types of institutions,” he warns.

Prepare Now for Changes Ahead

As the feds push to align their policies with 21st Century Cures Act mandates and recent HIPAA updates, patients’ rights are sure to be at the forefront of policy making. That’s why it’s essential to make HIPAA compliance a priority in 2021 — even with the many changes that are expected during an administration transition.

“The rules, the changes, and the expected changes under the CURES Act all need to be fully absorbed by staff involved with Release of Information — and any HIPAA business associates involved need to likewise be up-to-date,” Sheldon-Dean reminds. “The old ways just don’t apply anymore, and if you lag in compliance you can expect a discussion with OCR. This will be an effort that will take some time, training, and adjustment for many institutions, but has to take place now,” he explains.

Sheldon-Dean continues, “I think we can expect a slowdown in action from HHS during the transition of the administration, but these issues have been around a lot longer than any administration and will continue to be a focal point.”

As you update your procedures and policies, you may want to consider these HIPAA tips to deal with Right of Access:

  • Train your workforce on individuals’ rights to access their health data, and what this means to your organization. This includes updating staff on changes to HIPAA like enforcement discretions or notices of proposed rulemaking.
  • Review the 13 cases’ CAPs for advice on what to avoid and what the OCR expects on Right of Access compliance. Examples include maintaining policies, revising training materials as necessary, setting reasonable fees, and assessing risks often.
  • Don’t ignore patients’ requests for their records and keep on top of due dates and time requirements.
  • Address any third-party HIPAA concerns and hammer out a comprehensive business associate agreement (BAA).
  • Keep a written record of your organization’s policy updates, so you have recourse if problems pop up.

Resources: Review OCR guidance on Right of Access at www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html and find links for the 13 cases at www.hhs.gov/ocr/newsroom/index.html.