Although HIPAA is probably best known for its privacy and security provisions, it also affords certain essential rights to ensure that individuals have access to their medical records.
Since 2019, the HHS Office for Civil Rights (OCR) has stated its intent to increase enforcement of this specific right in response to a directive from HHS. There has been a gradual increase in this targeted enforcement activity until recently.
Enforcement of these rights drove nine settlement agreements in September and October. These are in addition to three breach-related settlement agreements in the same period. Obviously, the OCR has ramped up its enforcement efforts recently, and all covered entities and business associates should beware.
The first of the settlements involved St. Joseph's Hospital and Medical Center ("St. Joseph's"), which entered a corrective action plan and paid $160,000 to settle potential violations of HIPAA's right to access provision. In this case, a mother requested a copy of her son's medical records. Despite an initial production of some of the records, St. Joseph's only produced the complete records 22 months later.
Another settlement involved NY Spine Medicine ("NY Spine"), which also entered a corrective action plan and paid $100,000 to settle a potential violation of HIPAA's right to access provision. Similar to the St. Joseph's situation, a patient requested a copy of her medical records, but NY Spine initially provided her with only a portion of her record. Significantly, NY Spine did not produce the remaining records--including the portions of her record that the patient specifically requested in the first place--until over a year later.
"No one should have to wait over a year to get copies of their medical records. HIPAA entitles patients to timely access to their records and we will continue our stepped-up enforcement of the right of access until covered entities get the message," said Roger Severino, OCR Director.
This flurry of HIPAA enforcement action confirms that the OCR is as busy as ever in its efforts to ensure compliance. All covered entities and business associates are encouraged specifically to review their access policies--and ensure that staff are implementing them appropriately. Additionally, as more and more care is provided electronically, entities need to revisit their Security Rule Risk assessments to ensure that they reflect the current state of operations.
Patient rights to access are not limited to HIPAA.
In May, the HHS Office of National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid (CMS) released final rules and regulations related to the 21st Century Cures Act (Cures Act) Interoperability and Information Blocking Rules and the Office of Inspector General (OIG) released its proposed enforcement Rule.
Under these Rules, a patient's request for records (as well as others) must be provided in compliance with the Information Blocking Rule requirements or the Health IT developer and healthcare providers risk enforcement. Under the proposed enforcement rule, Health IT developers regulated by the Cures Act are subject to civil money penalties of up to $1 million per violation, and the OIG will refer healthcare providers to "the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking."
CMS also has a specific enforcement blueprint with regard to managed care plans and certain enrolled facilities. At this time, however, the potential enforcement structure for healthcare providers has not been determined. The compliance deadline for Information Blocking compliance is November 2 with a COVID-related enforcement discretion waiver of three months. With time running out, it is imperative that health IT developers, managed care plans and healthcare providers assess their abilities to meet the Information Blocking requirements.
Beth Pitman and Nathan Kottkamp are partners at Waller Lansden Dortch & Davis LLP.