OCR begins HIPAA right of access enforcement initiative
Over the past several years, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has taken various steps to ensure compliance with the right of access by covered entities. The Phase 2 audits were limited to specific areas of HIPAA compliance, one of which being right of access. More recently, OCR announced the Right of Access Initiative, promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.
Following through with this promise, OCR recently announced a settlement with Bayfront Health St. Petersburg, resolving a potential violation of the right of access provision. The enforcement action stemmed from an OCR investigation, prompted by a patient’s complaint, that determined Bayfront failed to provide a mother timely access to records about her unborn child. In this case, the mother submitted a written request in October 2017 for the fetal heart monitor records from her delivery. Initially, Bayfront replied that the records were not found; however, it produced these records in August 2018 in response to requests from the mother’s attorney. The HIPAA access rule (45 CFR 164.524) generally requires covered entities to provide medical records requested by a patient within 30 days of the request and extends to parents requesting information about their minor children.
In the announcement, OCR Director Roger Severino reiterated the promise to enforce compliance with these rules, stating: “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”
Covered entities should be ready for the Right of Access Initiative by reviewing their policies and practices to ensure that they respond to patient requests for access to medical records in compliance with HIPAA rules. Health care providers should also be aware of state law in this area, which may impose additional or more strict obligations that are not preempted by HIPAA. In the event that state law grants greater rights to patients – for example, requires a response to request for records in a shorter timeframe than HIPAA – state law must be followed.