The HIPAA Right of Access Provision
The Health Insurance Portability and Accountability Act (HIPAA), specifically the HIPAA Privacy Rule, provides individuals with the legal right to obtain access to their health information in the possession of their healthcare providers. Since 2019, OCR has dedicated resources to enforcing this right of access through its HIPAA Right of Access Initiative. To date, OCR has settled 19 right of access investigations against a variety of health providers, requiring providers to pay monetary penalties and implement corrective action plans.
The Privacy Rule requires healthcare providers to comply with requests by individuals for access to their health information. The right of access includes the right to inspect and copy an individual’s health information and to request that the provider release the information to a third party.
The Designated Record Set
When a request for health information is made by an individual, the provider is required to allow access to the information in what is referred to as a “designated record set.” A designated record set is a set of records maintained by the provider consisting of: (1) medical and billing records; (2) health insurance or claim management information; and (3) other records not listed in the first two categories that are utilized by the provider in the provider’s decision-making process regarding the individual. The information an individual is entitled to within the designated record set includes diagnostic results, imaging scans, and provider notes.
Not included in the designated record set are any records which are not used by the provider in the decision-making process regarding the individual requesting access. This includes information that is used by the provider in making decisions regarding the business of the provider, but that is not used in making decisions regarding the individual. Further, psychotherapy notes and information prepared regarding a legal proceeding are specifically excluded from the designated record set.
The Recipient of the Designated Record Set
In addition to requesting the designated record set be provided to the requesting individual, the requestor may also request the designated record set be provided to a third party. Such requests must be transmitted to the provider in writing, clearly describing the third party, and bearing the signature of the individual entitled to access the records. An individual’s personal representative is also permitted to access the individual’s designated record set to the same extent that individuals themselves may access the designated record set.
Pursuant to the Privacy Rule, providers are required to verify the identity of the individual making the request to ensure that the individual is entitled to access the requested records. The manner of verification is left up to the providers and, generally, any form of verification will suffice, but providers may not pose unreasonable barriers to the individual’s right to access the records through the verification requirement.
The Timing Requirements of Providing Access
Providers are required to comply with right of access requests within 30 calendar days of receipt of the individual’s request. Providers are permitted to obtain one extension of time to comply with a valid right of access request if the provider conveys, in writing, to the requestor of the need for additional time, the reason for the necessary extension, and the date by which the individual will be granted access to his or her records. This request to extend the provider’s time to respond must be sent to the requestor within the initial 30 days to respond to the request. The required time to respond may only be extended for 30 additional calendar days.
It should be noted that on December 10, 2020, HHS proposed modifications to the HIPAA Privacy Rule, including the right of access provision. These modifications have yet to go into effect as HHS awaits public comment, but should the modifications become effective, the more specific requirements of the right of access provision, including the timing requirements, may change.
The Form of Access
The Right of Access provision generally requires providers to provide the designated record set in the form requested by the individual. If the designated record set is not readily capable of being transmitted in this form, the designated record set must be either provided in a format agreed to by the individual and the provider or in hard copy. The provider is required to maintain the capacity to transmit health information electronically in at least a basic form.
Providers are permitted to require that individuals make their right of access requests in writing. The provider’s choice to opt for written requests must be communicated by the provider to the individual requesting access.
Fees Charged for Access to Health Information
Providers are permitted to charge a reasonable fee for specified costs incurred in the course of providing individuals their designated record set. Providers are permitted to charge requestors for: the cost of labor necessary to copy the requested records; the cost of the supplies needed to comply with the form in which the individual requested his or her records; the cost of postage if the individual requested to receive the records by mail; and the cost of preparing any agreed-upon summary or explanation regarding the health information. Providers may not charge fees regarding the costs of searching for and collecting the requested information, storing and maintaining the information, or other, infrastructure-related costs.
Denial of an Individual’s Right of Access
An individual’s request for access to his or her health information may be properly denied by the provider under a select set of circumstances. If the grounds for denial exist, this denial may be to the entirety of the records requested or merely to a portion of the records requested. In the event the provider denies the individual access, the provider must provide the individual a written denial describing the reasoning behind the denial and notifying the individual of his or her right to have the denial reviewed (if permitted), along with the review process. The denial must also explain the OCR complaint process to the individual. This written denial must be provided to the individual within 30 days of its receipt of the individual’s initial request for access – or within the extension period if applicable. If the provider does not possess the information requested, the provider must inform the individual of the location of the health information if the provider is aware of the location.
OCR’s Right of Access Settlements
In 2019, OCR announced its intent to create an initiative dedicated to enforcing the right of patients to access their health information in a manner consistent with the requirements of the HIPAA right of access provision. Prior to the Right of Access Initiative, the right of access HIPAA provision had been enforced, but it had not been enforced consistently or in the broad manner contemplated by the Initiative.
As of the time of this writing, OCR has reached 19 Right of Access settlements with providers through the Initiative.
OCR’s first right of access settlement pursuant to the Initiative, in September 2019, involved a Florida-based hospital. The complainant alleged she was not provided access to her unborn child’s records for nine months following her request. The complaint initiated the OCR investigation, which concluded with an $85,000 settlement payment to OCR and the adoption of a correction action plan.
The second settlement, reached in December 2019, involved a Florida-based primary care medical office. The medical office allegedly failed to provide a patient’s medical records to a third party in a timely manner upon request, failed to provide the records in an electronic format, and charged an exorbitant fee for providing the records. The investigation resulted in a settlement payment of $85,000 and the implementation of a corrective action plan.
OCR’s third through seventh settlements were announced together in September 2020. The third settlement stemmed from a complaint from a patient against a nonprofit organization based in New York that provided health services. The complaint alleged that the organization had not provided the patient with his medical records upon request. OCR initially provided technical assistance to the organization and closed its investigation, but reopened it when OCR received a second complaint from the same patient alleging that he still had not been provided with his medical records. OCR settled with the organization, which agreed to pay $38,000 and to implement a corrective action plan.
The fourth settlement involved a California-based family medicine clinic. The clinic was alleged to have violated the right of access provision by refusing to provide a patient with a copy of her medical records. The clinic agreed to a corrective action plan and a $15,000 payment to resolve the alleged violation.
The fifth settlement involved a mental health services organization based in Massachusetts. OCR initiated an investigation into the organization to determine whether it had violated the right of access provision when it failed to respond to a request for records from the personal representative of a former patient. The matter was resolved when the organization provided the personal representative with a copy of the requested records; no corrective action plan or payment was imposed.
OCR’s sixth settlement arose from an investigation into a psychiatric medical practice in Virginia. The practice allegedly had failed to respond to requests by a patient for copies of her medical records. OCR concluded its initial investigation by providing the practice with technical assistance in responding to medical records requests and securing assurances that it would provide the patient the requested records. Several months later, however, OCR received a follow-up complaint alleging that the practice had still not provided the patient with the records. This prompted OCR to initiate another investigation, culminating in a settlement agreement whereby the practice agreed to pay $3,500 and adopt a corrective action plan.
Two investigations into a Colorado-based psychiatric provider led to OCR’s seventh right of access settlement. OCR initiated the first investigation upon its receipt of a complaint by the personal representative of the estate of a former patient alleging that the provider had failed to provide the representative with copies of the former patient’s records. OCR provided technical assistance to the provider and closed its investigation, but opened a second one months later when OCR received a second complaint alleging that the representative still had not received access to the former patient’s records. The provider agreed to a settlement involving a $10,000 payment and the adoption of a corrective action plan.
OCR’s eighth settlement was reached in October 2020 following an investigation into an Arizona-based acute care hospital. The mother of a minor child who was a patient of the hospital served as the personal representative for the child and made several requests to the hospital for the child’s records, to which the hospital did not comply. The hospital ultimately settled with OCR, agreeing to pay $160,000 and adopt a corrective action plan.
The ninth settlement involved a New York pain and neurology clinic and was also reached in October 2020. A patient of the clinic submitted a complaint to OCR, alleging that the clinic failed to provide her with all of her medical records upon multiple requests. While the clinic provided some of the requested records, it did not provide all of them, including diagnostic films. The clinic ultimately settled with OCR, agreeing to pay $100,000 and adopt a corrective action plan.
OCR’s 10th settlement, in November 2020, involved a California-based psychiatric clinic, which allegedly failed to provide a patient access to her records upon multiple requests. The clinic claimed it was not required to comply with the patient’s requests because her request included access to psychotherapy notes. Although the right of access provision does not require a provider to provide a patient with access to psychotherapy notes, it does require a provider to provide patients a written explanation regarding its denial and to provide the requested records that are not psychotherapy notes. OCR found that the clinic had violated the right of access provision by failing to provide the patient a written explanation of its denial of access and by failing to provide her the other records. The matter was settled for a payment of $25,000 and the implementation of a corrective action plan.
The 11th OCR settlement, also in November 2020, involved a New York solo practitioner who, according to a complaint received by OCR, allegedly failed to comply with a patient’s request for her medical records. OCR’s initial investigation concluded with the provision of technical assistance to the practitioner, but OCR launched a follow-up investigation after it received a second complaint from the patient alleging that the practitioner had still not complied with her requests. The investigation culminated with a settlement of $15,000 and the implementation of a corrective action plan.
OCR’s 12th right of access settlement, the third in November 2020, arose from a complaint by a patient of a university medical center in Ohio alleging that the medical center had failed to respond to the patient’s request that her medical records be sent to her attorneys. The medical center settled with OCR, agreeing to a corrective action plan and the payment of $65,000.
The 13th settlement, reached in December 2020, stemmed from a complaint by a patient of a Georgia-based primary care facility, alleging that the facility had failed to respond to the patient’s multiple requests for copies of his medical records. The facility agreed to a settlement with OCR, which included a payment of $36,000 and the implementation of a corrective action plan.
In January 2021, OCR reached its 14th settlement, involving an Arizona-based nonprofit health system. OCR had received two complaints that alleged that the requested records were not provided until approximately five months following each request. The health system agreed to a settlement involving a corrective action plan and a $200,000 payment.
The 15th OCR settlement, in February 2021, arose from a complaint from a patient of a Nevada-based nonprofit health system who alleged that the health system failed to timely provide the patient’s medical records to a third party at the patient’s request. OCR’s investigation into the matter resulted in a settlement agreement requiring the health system to implement a corrective action plan and pay $75,000.
OCR’s 16th settlement, also in February 2021, pertained to a patient’s complaint that a California-based hospital system failed to comply with the patient’s request that the patient’s medical records be provided to a third party. OCR provided technical assistance, but received a second complaint that the patient still had not received the records. The hospital system agreed to pay $70,000 in settlement and implement a corrective action plan.
The 17th settlement, in March 2021, arose from the alleged failure of a Massachusetts behavioral health services organization to timely comply with a patient’s request for medical records. While the organization provided the patient with copies of the records, it did not do so until more than five months after the request. OCR’s investigation culminated in a settlement agreement, whereby the organization would implement a corrective action plan and pay $65,000.
The 18th settlement, also in March 2021, involved the alleged failure of a New Jersey plastic surgery office to timely respond to a patient’s request for access to the medical records. This investigation resulted in a settlement of $30,000 and implementation of a corrective action plan.
The 19th and, as of this writing, the latest OCR right of access settlement, announced in June 2021, pertained to a West Virginia-based endocrinology healthcare provider following a patient complaint alleging that the provider failed to comply with her request for copies of her minor child’s health records. Following OCR’s investigation, the provider settled the matter, agreeing to take corrective actions and pay $5,000.
OCR Settlements Demonstrate the Broad Scope of the Initiative
The HIPAA right of access settlements demonstrate the variety of providers and right of access violations within the contemplated scope of OCR’s Initiative. The providers investigated included solo practitioners, small physician practices, nonprofit organizations, university hospitals, and entire hospital systems. The alleged violations involved the complete failure to respond to requests for access of records, the denial of access, the failure to timely respond, the failure to provide affordable access, and the failure to provide timely access. Each settlement included the requirement that the provider comply and provide the records at issue to the requesting party. The monetary penalty included in each settlement ranged from $3,500 to $200,000, with an average monetary payment of $56,974. All but one required the provider to implement a corrective action plan. All of the investigations stemmed from complaints from the requesting party. The complaints included requests for access by the patient themselves, requests by personal representatives, by parents, and requests that records be provided to third parties.
OCR’s efforts to investigate potential right of access violations have been picking up speed since the fall of 2020. Prior to that point, OCR had only launched a handful of investigations (likely due, in part, to the COVID-19 pandemic). In late 2020 and throughout 2021 however, OCR has been announcing more settlements, demonstrating its continued commitment to the Initiative.
The wide-ranging scope of OCR’s HIPAA Right of Access Initiative demonstrates the need of all healthcare organizations to implement technical and administrative measures to ensure timely access to health records requests. OCR has given no indication that its Initiative is ending soon. Healthcare providers should be aware of the right of access requirements and the scope of OCR’s Initiative demonstrated by the settlement agreements to reduce the risk of right of access violations and to ensure that patients may adequately exercise their rights of access.