Medicare Compliance & Reimbursement

HIPAA:

OCR Kicks New Year Off With Right of Access Settlement

Adapt policies now to ensure employees know the rules.

Due to the pandemic, HIPAA enforcement actions have been relatively sparse these past few years — with one exception: Right of Access settlements. In fact, the feds ended 2022 and opened 2023 with resolutions under the Right of Access provision. Read on for the scoop.

Background: When the HHS Office for Civil Rights (OCR) began its Right of Access initiative in 2019, the agency started out slowly. But with 43 settlements under its belt, including a whopping 19 resolved cases in 2022 alone, OCR seems to be ratcheting up its enforcement.

Here’s a look at the two most recent settlements:

1. Don’t delay on records’ requests of deceased patients. After repeated requests for a copy of her deceased father’s medical information from Health Specialists of Central Florida Inc., the patient’s daughter got the OCR involved. An investigation ensued, and OCR discovered that the provider’s “failure to provide timely access to the requested medical records was a potential violation of the HIPAA Right of Access standard, which requires a covered entity [CE] to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable),” the agency notes in a release.

On Dec. 15, 2022, OCR announced Health Specialists of Central Florida, Inc. agreed to pay OCR $20,000 and enter into a corrective action plan (CAP), which included an additional two years of monitoring by the feds. The agreement was the 42nd Right of Access case to be resolved by OCR since the initiative started. The CE also turned over the medical records — five months after the initial request, OCR indicates.

“Today’s announcement speaks to the importance of accessing information and regulated entities taking steps to implement procedures and workforce training to ensure that they are doing all they can to help patients access,” said OCR Director Melanie Fontes Rainer, in the release.

Review the resolution and case details at www.hhs.gov/hipaa/ for-professionals/compliance-enforcement/agreements/health-specialists-ra-cap/index.html.

2. Turn over lab results in a timely manner. Sandy Springs, Georgia-based diagnostic lab, Life Hope Labs LLC, failed to get a deceased patient’s labs and records to a family member in the allotted Right of Access time constraints, according to an OCR release. It took repeated attempts by the patient’s representative before the Life Hope Labs finally gave them the records more than seven months later.

On Jan. 3, in this first case of 2023 and the OCR’s 43rd under the initiative, the CE agreed to pay $16,500 to settle the allegations and enter into a two-year CAP. “Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans,” Fontes Rainer warned in the release. “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.”

Check out the resolution and settlement breakdown at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/ agreements/life-hopes-ra-cap/index.html.

Add These Right of Access Tips to Your HIPAA Wheelhouse

With patients’ rights continuing to be a hot topic for OCR and the Department of Health and Human Services (HHS) at large, you may want to beef up your Right of Access policies with enforcement activity expected to increase over the next year.

Practices should prepare for patients’ requests as well as third-party concerns, suggests HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont.

As you update your Right of Access policies, consider factoring these tips into your compliance plan:

  • Educate staff: You need to train your workforce on individuals’ rights to access their health data, and what this means to your organization.
  • Know the rules: Administrative staff should familiarize themselves with the HIPAA rules and updates to the federal mandates. Plus, “make sure you provide access to individuals according to the rules for individual access only,” Sheldon-Dean cautions.
  • Address third-party issues: Hammer out a compre­hensive business associate agreement (BAA) upfront to avoid problems later on. “Be ready to redirect requests from third parties to your authorization process for releases,” Sheldon-Dean advises.
  • Check past resolutions: Review CAPs and resolutions from the 43 settlements to figure out what OCR’s expectations are for compliance with the provision.
  • Put it in writing: It’s easy to forget what your policies are if they aren’t set in stone. Keep a written record of your organization’s policy updates, so you have recourse if problems pop up.
  • Ensure staff know the deadline requirements: CEs must get patients or their representatives their medical records “in the form and format requested” and within “30 calendar days from receiving the individual’s request,” OCR reminds. Policies should include the HIPAA-mandated timeline as well as procedures on dealing with exceptions and/or denials when extra time is needed to compile the records.
  • Pay attention to your patients: “Always do your best to satisfy reasonable requests from individuals and do what is best for their healthcare; happy patients don’t complain to HHS,” warns Sheldon-Dean.

Resource: Find the OCR guidance on the Right of Access provision at www.hhs.gov/hipaa/for-professionals/privacy/ guidance/access/index.html.