Adapt policies now to ensure employees know the rules. Due to the pandemic, HIPAA enforcement actions have been relatively sparse these past few years — with one exception: Right of Access settlements. In fact, the feds ended 2022 and opened 2023 with resolutions under the Right of Access provision. Read on for the scoop. Background: When the HHS Office for Civil Rights (OCR) began its Right of Access initiative in 2019, the agency started out slowly. But with 43 settlements under its belt, including a whopping 19 resolved cases in 2022 alone, OCR seems to be ratcheting up its enforcement. Here’s a look at the two most recent settlements: 1. Don’t delay on records’ requests of deceased patients. After repeated requests for a copy of her deceased father’s medical information from Health Specialists of Central Florida Inc., the patient’s daughter got the OCR involved. An investigation ensued, and OCR discovered that the provider’s “failure to provide timely access to the requested medical records was a potential violation of the HIPAA Right of Access standard, which requires a covered entity [CE] to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable),” the agency notes in a release.
On Dec. 15, 2022, OCR announced Health Specialists of Central Florida, Inc. agreed to pay OCR $20,000 and enter into a corrective action plan (CAP), which included an additional two years of monitoring by the feds. The agreement was the 42nd Right of Access case to be resolved by OCR since the initiative started. The CE also turned over the medical records — five months after the initial request, OCR indicates. “Today’s announcement speaks to the importance of accessing information and regulated entities taking steps to implement procedures and workforce training to ensure that they are doing all they can to help patients access,” said OCR Director Melanie Fontes Rainer, in the release. Review the resolution and case details at www.hhs.gov/hipaa/ for-professionals/compliance-enforcement/agreements/health-specialists-ra-cap/index.html. 2. Turn over lab results in a timely manner. Sandy Springs, Georgia-based diagnostic lab, Life Hope Labs LLC, failed to get a deceased patient’s labs and records to a family member in the allotted Right of Access time constraints, according to an OCR release. It took repeated attempts by the patient’s representative before the Life Hope Labs finally gave them the records more than seven months later. On Jan. 3, in this first case of 2023 and the OCR’s 43rd under the initiative, the CE agreed to pay $16,500 to settle the allegations and enter into a two-year CAP. “Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans,” Fontes Rainer warned in the release. “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.” Check out the resolution and settlement breakdown at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/ agreements/life-hopes-ra-cap/index.html. Add These Right of Access Tips to Your HIPAA Wheelhouse With patients’ rights continuing to be a hot topic for OCR and the Department of Health and Human Services (HHS) at large, you may want to beef up your Right of Access policies with enforcement activity expected to increase over the next year. Practices should prepare for patients’ requests as well as third-party concerns, suggests HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. As you update your Right of Access policies, consider factoring these tips into your compliance plan: Resource: Find the OCR guidance on the Right of Access provision at www.hhs.gov/hipaa/for-professionals/privacy/ guidance/access/index.html.