Pocket This Q&A Set on HIPAA Right of Access Warning: OCR continues focus with 20th settlement. The feds’ HIPAA enforcement caseload has been light of late, which isn’t surprising with the COVID-19 public health emergency (PHE) consuming much of the nation’s collective bandwidth. However, there is one area that persists in being a thorn in covered entities’ (CEs) sides — patients’ requests to their health records in a timely manner. Background: On Sept. 10, the HHS Office for Civil Rights (OCR) announced its 20th settlement under its Right of Access Initiative since the program’s inception in September 2019. This is the seventh HIPAA enforcement case settled by the Biden administration, and of the seven settlements, six have dealt specifically with Right of Access investigations. Details: Children’s Hospital & Medical Center (CHMC), a pediatric healthcare provider in Omaha, Nebraska, failed to furnish a parent with all of her child’s medical records after they were requested in May 2020, according to an OCR release. CHMC only offered the parent partial records, and a complaint was filed with OCR, which triggered a subsequent inquiry. OCR’s “investigation found that on January 3, 2020, [the] Complainant submitted a written request to CHMC for access to her late minor daughter’s medical records,” notes the Resolution Agreement. “At the time of the request, CHMC provided [the] Complainant with a portion of the requested records.” But the organization wasn’t able to immediately transfer the remainder of the records to the parent as they were stored at another CHMC location. Eventually, the rest of the patient’s records were delivered to the parent on June 20, 2020, and July 16, 2020, the Resolution Agreement shows. “Under HIPAA, a parent is a ‘personal representative’ of a minor child and must be treated like a patient when exercising the right of access,” explains Atlanta-based attorney Madison M. Pool with law firm Arnall Golden Gregory LLP in online legal analysis. “This Resolution Agreement highlights that partial compliance does not meet the HIPAA Privacy Rule’s right of access standard, even when a request requires collecting records from various divisions of the covered entity,” Pool expounds. Result: To settle the potential Right of Access violation, CHMC agreed to pay OCR $80,000 and enter into a corrective action plan (CAP), plus one year of OCR monitoring. “This settlement … should be a reminder to all HIPAA-covered entities that compliance with the HIPAA right of access remains important and privacy rights will likely continue to be a priority of this presidential administration,” caution Philadelphia-based attorneys Bruce D. Armon and Samantha R. Gross with law firm Saul Ewing Arnstein & Lehr LLP in online legal analysis. Consider These 5 Tips to Thwart Right of Access Woes Despite significant guidance on the subject and substantial enforcement actions over the last two years, CEs continue to have issues with Right of Access compliance. The CHMC Resolution Agreement and past settlements offer a roadmap for providers to follow and assist with policymaking. Take a look at five basic Right of Access questions and answers that will help you get started on creating your own policies and procedures: Question 1. Who should be trained on HIPAA Right of Access requirements? Answer 1: If part of a workforce member’s job requires them to receive, process, or fulfill individuals’ requests to their records, then they must be trained on HIPAA Right of Access regulations. “Workforce members must understand the covered entity’s process for addressing any issues that arise in the access request process, and doing so in a timeframe that keeps the entity compliant,” explains partner attorney Valerie Breslin Montague with law firm Nixon Peabody LLP in a May blog posting. Question 2: How much can CEs charge for the request? Answer 2: HIPAA offers a very complicated methodology for calculating fees for medical records’ requests, so there isn’t an exact amount per se. CEs are permitted to “charge a reasonable, cost-based fee for individuals (or their personal representatives) to receive (or direct to a third party) a copy of the individuals’ PHI,” OCR says. They can calculate those fees by adding up “certain labor, supply, and postage costs that may apply in providing the individual with the copy in the form and format and manner requested or agreed to by the individual,” the agency adds. CEs can also opt for a flat fee not to exceed $6.50 for electronic copies of protected health information (PHI). Important: CEs must let requesters know in advance that a fee may be applied. Additionally, fees can never pose a financial barrier to individuals’ requests to their records — or enforcement action will ensue, OCR warns. Question 3: How do state laws impact individuals’ rights to access their PHI? Answer 3: CEs should always review state privacy laws before setting up HIPAA policies and procedures, especially related to Right of Access laws. “The HIPAA Privacy Rule sets a Federal ‘floor’ of privacy protections,” clarifies the HHS Office of the National Coordinator for Health Information Technology (ONC) in online guidance. “Many States have health information privacy laws that have additional protections that are above this floor. In addition, even though HIPAA is a Federal law, State Attorneys General have been given the authority to enforce HIPAA.” Fees: CEs may want to revisit their state’s fee structures for medical records, too, as some states prohibit fees while others authorize them. Question 4: Is there information that patients don’t have a right to access? Answer 4: Yes, there are a few limited exceptions to the Rule. For example, CEs do not have to turn over data compiled and created for use in legal proceedings. Individuals also don’t have the right to access mental health professionals’ psychotherapy notes due to the nature of their content. Since this data is “maintain[ed] separately from the individual’s medical record” and is used to “document or analyze the contents of a counseling session with the individual,” the information is exempt under HIPAA, OCR indicates. Question 5: What is the timeline for delivery of records to the individual? Answer 5: Currently, the HIPAA Privacy Rule requires CEs to get patients’ their PHI “no later than 30 days from the individual’s request,” OCR guidance says. This timeline, however, is just “an outer limit,” and the feds prefers that CEs respond as quickly as possible — especially if health IT is being utilized for the transfer to the data in an electronic form. When PHI is stored offsite and the CE cannot offer access within the 30-day timeframe, the Rule allows for a maximum extension of an additional 30 days, OCR guidance maintains. The CE must let the individual know in writing during the initial 30 days that an extension is necessary, why there will be a delay, and when the patient should expect access to their records. Don’t forget: State laws are often more stringent than HIPAA and turnaround times do differ by state. Furthermore, the Department of Health and Human Services (HHS) issued a notice of proposed rulemaking last year that aims to reduce the records’ request timeline from 30 days to 15 days (see Health Information Compliance Alert, Vol. 21, No. 1). Resources: Review the CHMC case particulars and Resolution Agreement at www.hhs.gov/about/news/2021/09/10/ocr-resolves-twentieth-investigation-in-hipaa-right-of-access-initiative-with-settlement.html. Find Right of Access information at www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#newlyreleasedfaqs.