Right of Access to Settle Eighteenth Investigation in HIPAA
A small New Jersey plastic surgery practice, Village Plastic Surgery (“VPS”), has to face an enforcement action under the Office for Civil Rights HIPAA Right of Access Initiative. The VPS has become the eighteenth HIPAA covered entity to face an enforcement action and has to pay $30,000 to settle a potential HIPAA violation Privacy Rule’s right of access standard.
The right to access under the HIPAA Privacy Rule requires HIPAA covered entities such as health plans, health Care Clearinghouses and most health care providers to provide individuals, upon request, with access to PHI about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice, right to access infographic, videos, and general fact sheets. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.
Additionally, covered entities and their business associates must follow HIPAA regulations while implementing the HIPAA Privacy Rule. The issues to consider are; a) What information is subject to the right and what information is not, such as psychotherapy notes; b) Confirming the authority of “personal representative” to act on behalf of an individual; c) Procedures for receiving and responding to requests – such as written request requirements, verifying the authority of requesting parties, timeliness of response, whether and on what grounds requests may be denied, and fees that can be charged for approved requests; d) To assist covered entities (and business associates). The OCR provides a summary of right of access issues, as well as a set of frequently asked questions.
In the same fashion, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services also announces its eighteenth settlement of an enforcement action in its HIPAA Right of Access Initiative. The purpose behind this initiative is to reinforce individuals’ right to timely access of their health records at a reasonable cost under the HIPAA Privacy Rule. This initiative was taken in September 2019, when OCR received a complaint from a patient. The patient alleged that VPS failed to timely respond to a patient’s records access request made in August 2019. OCR found that failing to provide requested medical record is a probable violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days, if an extension is applicable).
The resolution also made VPS to take a corrective action plan (“CAP”) that includes two years of monitoring by the OCR. The CAP needs to revise its right of access policies, submit its right of access policies to OCR review, obtain written confirmation from staff that they read and understand the new right of access policies, train staff on the new policies, and every 90 days submit to OCR a list of requests for access from patients and VPS’ responses.
Medical providers are receiving so many requests for medical and other records in their businesses. No doubt, these requests create administrative burden. However, sanctions under state law should be followed strictly so that there is easy flow for access to such records.