On September 6, 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) settled its first HIPAA enforcement action under its Right of Access Initiative. Announced earlier this year, the Initiative is aimed at protecting the right of patients to receive copies of their medical records in a timely fashion and without being overcharged.

Case Background

OCR launched an investigation in response to a patient who reported Bayfront Health St. Petersburg, a trauma and tertiary care center, for failing to provide her with timely access to her child’s prenatal health records. The investigation revealed that the mother requested her child’s records on October 18, 2017 but was informed that the records could not be found. In response to two more requests for the records from the patient’s attorney, Bayfront produced an incomplete set of records in March 2018. Five months later, on August 23, 2018, Bayfront finally produced the full set of records.

While Bayfront did not admit culpability, it agreed to pay OCR $85,000 to settle the claims alleged against it. Bayfront also agreed to take corrective action, including modifying its policies and procedures regarding patient access to records, training staff annually, and sanctioning workers who fail to timely respond to patient record requests.

This may be the first enforcement action under OCR’s Right of Access Initiative, but it is unlikely to be the last. Health care providers would be well-advised to review their policies and procedures to ensure their compliance with HIPAA.

Right of Access

 The HIPAA Privacy Rule provides patients with a legal, enforceable right to inspect or obtain a copy, or both, of the information in their health records maintained by their health care providers and health plans. The Privacy Rule requires covered entities (health plans and most health care providers) to provide patients, upon request, with access to their protected health information in one or more “designated record sets.” A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises the (i) medical records and billing records about patients maintained by or for a covered health care provider; (ii) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; and (iii) other records that are used, in whole or in part, by or for the covered entity to make decisions about patients.

The patient’s right of access also includes the right to direct the covered entity to transmit a copy to a designated person or entity of the patient’s choice. Patients have a right to access their medical records for as long as they are maintained by a covered entity, or by a business associate on behalf of a covered entity, (i) regardless of the date the information was created; (ii) whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or (iii) where the records originated (e.g., whether the covered entity, another provider, the patient, etc.). As in the Bayfront enforcement action, a patient’s personal representative (individual authorized under State law to make health care decisions for the patient) also has the right to access the patient’s records and to direct the provider to transmit a copy of those records to a designated person or entity.

Exceptions to the Right of Access

There are, however, exceptions to this rule. Patients do not have the right to access their records that are not part of a designated record set, which may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about the patients. In addition, two categories of information are expressly excluded from the right of access: (i) psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, which are maintained separate from the rest of the patient’s medical record; and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Verification of Requester

Providers do have some control over the manner in which a patient submits a request for records. Providers may require patients to request access to their records in writing if they inform the patient of this requirement. Providers may also offer patients the option of making requests through electronic means (e.g., e-mail, secure web portal), or by using a provider-created form, so long as use of the form does not unreasonably delay the patient from obtaining access to his/her records. Regardless of which of these methods the provider prefers, reasonable steps must be taken to verify the identity of the individual making the request.

Once the provider receives a request for records and verifies that the individual is authorized to access them, the records must be provided in the form and format the individual requests, if readily producible in that form and format, or if not, in another format mutually agreed upon.

Timing for Responding to Records Request

As evidenced by the Bayfront enforcement action, timing is key when responding to a request for records. Under HIPAA, the patient must be provided with the records no later than 30 days after the request is made and in the manner and format requested (to the extent possible). If unable to meet that timeframe, the provider may have only one 30-day extension. However, state laws may impose stricter deadlines. For example, under California law, the patient must be granted access to inspect his/her records within 5 days of making the request and must receive a copy of his/her records within 15 days of the request.

Copying Fees

The provider may charge the patient a reasonable fee for the expense involved in copying the records, the materials used for copying the records, and postage (if applicable). However, the fee may not take into account costs associated with verification, documentation, searching for and retrieving the records, maintaining systems, recouping capital for data access, storage, or infrastructure, or any other costs. States may have additional restrictions on copying fees, such as California, which limits fees to $0.25 per page for paper copies of records.

If you would like assistance conforming your policies and procedures to HIPAA’s right of access requirements, responding to a request for records, or litigating this issue, or if you would like more information regarding this client alert, feel free to contact:

Michael “Akiva” Newborn