Medicare Compliance & Reimbursement

HIPAA:

OCR Settles First 'Right to Access' Case

Practices should anticipate more enforcement on this issue.

The feds have initiated many pro-patient programs in the last year, including policy proposals that support hefty penalties for information blocking. A first-of-its-kind case suggests that organizations should put patients’ rights first — and align their protocols accordingly.

Background: On Sept. 9, Bayfront Health-St. Petersburg (Bayfront) agreed to pay the HHS Office for Civil Rights (OCR) $85,000 to settle a HIPAA violation related to a patient’s right to access medical records, an OCR release indicates. The Florida-based medical center also committed to a one year corrective action plan (CAP) to remedy its issue.

This is OCR’s first enforcement since commencing its “Right of Access Initiative” earlier this year. The agency promises “to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged,” the release reiterates.

Register the Case Specifics

According to OCR, Bayfront didn’t comply and failed to give a pregnant mother records concerning her unborn child in a timely manner. The mother issued a complaint to the OCR, which precipitated an investigation by the agency. Bayfront did not get the mother the records until nine months after the initial request.

Remember: HIPAA requires covered entities (CEs) to provide their patients with their protected health information (PHI) within 30 days of a request. In addition, a nominal fee for the medical records is allowed, but it must be reasonable.

This case also follows the rule that parents are granted access to the PHI of their minor children as well — including unborn children.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR director Roger Severino in a statement. “We aim to hold the healthcare industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

Why Does This Matter?

This settlement comes on the heels of a plethora of policy proposals from the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS) to circumvent information blocking, boost data sharing, and improve interoperability. The proposed rules have not been finalized yet, but are expected in the coming months (see Medicare Compliance & Reimbursement, Vol.45, No.5).

“While historically patient access complaints have not generally invoked the fines and penalties that other types of HIPAA compliance issues have, that pattern is changing,” warn attorneys Stephane P. Fabus and Mark J. Swearingen of national firm Hall Render in online analysis in the Health Law News blog. “Fines and penalties will likely become a more common-place tool for enforcing compliance with the patient access requirements. OCR is now requesting information regarding a covered entity’s financial status as part of its standard investigation into access complaints.”

Resources: See the details of the case and CAP at  www.hhs.gov/about/news/2019/09/09/ocr-settles-first-case-hipaa-right-access-initiative.html.

Review the HIPAA rules on patients’ rights to access their PHI at  www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#newlyreleasedfaqs.