Practice Management Alert

Details: A healthcare provider in Omaha, Nebraska, failed to furnish a parent with all her child’s medical records after they were requested in May 2020, according to an OCR release. The provider only offered the parent partial records, and a complaint was filed with OCR, which triggered a subsequent inquiry.

OCR’s “investigation found that on January 3, 2020, [the] Complainant submitted a written request to the provider for access to her late minor daughter’s medical records,” notes the Resolution Agreement. “At the time of the request, the provider provided [the] Complainant with a portion of the requested records.”

But the organization couldn’t immediately transfer the remainder of the records to the parent as they were stored at another location. Eventually, the rest of the patient’s records were delivered to the parent on June 20, 2020, and July 16, 2020, the Resolution Agreement shows.

“Under HIPAA, a parent is a ‘personal representative’ of a minor child and must be treated like a patient when exercising the right of access,” explains Atlanta-based attorney Madison M. Pool with law firm Arnall Golden Gregory LLP in an online legal analysis. “This Resolution Agreement highlights that partial compliance does not meet the HIPAA Privacy Rule’s right of access standard, even when a request requires collecting records from various divisions of the covered entity,” Pool expounds.

Result: To settle the potential Right of Access violation, the provider agreed to pay OCR $80,000 and enter a corrective action plan (CAP), plus one year of OCR monitoring.

“This settlement … should be a reminder to all HIPAA-covered entities that compliance with the HIPAA right of access remains important, and privacy rights will likely continue to be a priority of this presidential administration,” caution Philadelphia-based attorneys Bruce D. Armon and Samantha R. Gross with law firm Saul Ewing Arnstein & Lehr LLP in online legal analysis.

Use These 5 Strategies to Uphold Right of Access Compliance

Despite significant guidance on the subject and substantial enforcement actions over the last two years, covered entities (CEs) continue to have issues with Right of Access compliance. The latest Resolution Agreement and past settlements offer a roadmap for providers to follow and assist with policymaking.

Check out these five basic Right of Access questions and answers, which will help you get started on creating your own policies and procedures.

1. Be Inclusive in Your Employee Training with HIPAA

If part of a workforce member’s job requires them to receive, process, or fulfill individuals’ requests to their records, then they must be trained on HIPAA Right of Access regulations.

“Workforce members must understand the covered entity’s process for addressing any issues that arise in the access request process and doing so in a timeframe that keeps the entity compliant,” explains partner attorney Valerie Breslin Montague with law firm Nixon Peabody LLP in a May blog posting.

2. You Can Charge for Requests

HIPAA offers a very complicated methodology for calculating fees for medical records’ requests, so there isn’t an exact amount per se. CEs are permitted to “charge a reasonable, cost-based fee for individuals (or their personal representatives) to receive (or direct to a third party) a copy of the individuals’ PHI,” OCR says. They can calculate those fees by adding up “certain labor, supply, and postage costs that may apply in providing the individual with the copy in the form and format and manner requested or agreed to by the individual,” the agency adds.

CEs can also opt for a flat fee not to exceed $6.50 for electronic copies of PHI.

Important: CEs must let requesters know in advance that a fee may be applied. Additionally, fees can never pose a financial barrier to individuals’ requests to their records — or enforcement action will ensue, OCR warns.

3. Follow State Privacy Laws

CEs should always review state privacy laws before setting up HIPAA policies and procedures, especially related to Right of Access laws.

“The HIPAA Privacy Rule sets a Federal ‘floor’ of privacy protections,” clarifies the HHS Office of the National Coordinator for Health Information Technology (ONC) in online guidance. “Many states have health information privacy laws that have additional protections that are above this floor. In addition, even though HIPAA is a Federal law, State Attorneys General have been given the authority to enforce HIPAA.”

Fees: CEs may want to revisit their state’s fee structures for medical records, too, as some states prohibit fees while others authorize them.

4. Know Exceptions to the Rule

There are a few limited exceptions to the Privacy Rule as it applies here. For example, CEs do not have to turn over data compiled and created for use in legal proceedings.

Individuals also don’t have the right to access mental health professionals’ psychotherapy notes due to the nature of their content. Since this data is “maintain[ed] separately from the individual’s medical record” and is used to “document or analyze the contents of a counseling session with the individual,” the information is exempt under HIPAA, OCR indicates.

5. Keep Timeline in Mind

Currently, the HIPAA Privacy Rule requires CEs to get patients their PHI “no later than 30 days from the individual’s request,” OCR guidance says. This timeline, however, is just “an outer limit,” and the feds prefers that CEs respond as quickly as possible — especially if health IT is being utilized for the transfer to the data in an electronic form.

When PHI is stored offsite and the CE cannot offer access within the 30-day timeframe, the Rule allows for a maximum extension of an additional 30 days, OCR guidance maintains. The CE must let the individual know in writing during the initial 30 days that an extension is necessary, why there will be a delay, and when the patient should expect access to their records.

Don’t forget: State laws are often more stringent than HIPAA and turnaround times do differ by state. Furthermore, the Department of Health and Human Services (HHS) issued a notice of proposed rulemaking last year that aims to reduce the records’ request timeline from 30 days to 15 days.