Written By Cameron McNerney, CHCP (Communication Manager) | Estimated 8-minute read
📌JUMP TO THE SECTION📌
OCR Grinds its Axes: Introduction to the HIPAA Right of Access
January 31, 2024 — Any patient has the right to obtain access to their protected health information (PHI). Full stop.
In 2024 and as we advance, the HIPAA Privacy Rule Right of Access Provisions could represent millions of dollars in penalty fines and mandated corrections action plans. To prevent a wide range of health organizations from being caught off guard, let's take a moment to demystify a few ideas to begin:
- The HHS Office for Civil Rights (OCR) is consistently investigating complaints and resolving cases. Why? When the OCR receives one complaint —one allegation reported by a person internal or external to your organization— then this enforcement agency must investigate that case (by law).
- Our dedicated team avoids making any yearly "predictions." Instead, as compliance specialists, we apply our rigorous process of discovering "what is so" and "what is likely" (i.e., Perhaps if "A" then "B" probability, etc.). This operating standard is how HCP can take complex ideas into something easier and understandable for you (whenever possible).
- We thoughtfully caution all HIPAA-covered entities and business associates: Healthcare organizations nationwide are being targeted by the OCR for "failure to provide timely access to medical records." We expect a likely increase for this specific HIPAA violation (cited as triggering OCR audits).
However, we perceive there's hope! Remember, an effective HIPAA compliance program (following the rules) is the only proper defense for your organization against this regulatory scrutiny.
Let's explore how to understand a patient's right to access their health records, and how your organization can provide timely access upon request.
So What? What is the HIPAA Right of Access Initiative?
The Right of Access Initiative is a top focus for the OCR (and this HIPAA enforcement is only gaining momentum). OCR is committed to enforcing the privacy and security of peoples' health information that is protected under HIPAA.
"The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously. We will continue to ensure that health care providers and health plans take this right seriously and follow the law" - OCR Director Melanie Fontes Rainer
The OCR is resolving case after case, speeding with quick vigilance, and targeting healthcare organizations (regardless of their size).
The healthcare organization's size is immaterial to OCR enforcement. Whether an alleged "failure to provide timely access" complaint is investigating a smaller private practice or an extensive health organization, the result will be costly monetary penalties and mandated corrective action plans.
In general, OCR has the authority to conduct compliance reviews and investigations into complaints alleging violations of the HIPAA Rules by covered entities and business associates. Covered entities and business associates must cooperate with HHS compliance reviews and investigations.
"Patients have a fundamental right under HIPAA to receive their requested medical records in most cases, within 30 days" - OCR Director Melanie Fontes Rainer.
Understanding the HIPAA Right of Access Provision
The Timely Factor:
Timeliness is the key component to understanding this
provision. According to HHS Guidance on the Right of Access, as technology
advances and becomes adopted, so too does the responsibility of HIPAA Covered
Entities to provide "a more patient-centered health care system."
When a patient asks for their protected health information
(PHI), then the HIPAA-covered entities must give that individual access within
"designated record sets" (maintained by the healthcare organization).
Individuals have a right to access if it is kept by a covered entity (or a business associate working for a covered entity). The created date of the information doesn't matter, nor whether the data is kept on paper or electronic systems onsite, remotely, or in an archive, nor who created the PHI (e.g., the covered entity, another provider, the patient, etc.).
Perhaps you can tell by re-reading that previous sentence how challenging this written requirement might be to implement in practice, so let's continue simplifying toward HIPAA compliance.
The Designated Record Set:
"The term "record" means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity," explains HHS guidance.
Examples of a "designated record set" include the following
collection of records maintained by the covered entities or business associates:
- Patient medical records and billing records from
- Enrollment, payment, claim adjudication, and
case management records from health plans
- Other records when leveraged for patient decisions.
Luckily, when a patient requests access, the covered entity doesn't have to make new information with what already exists in the designated record set. The overall provision is simple to understand: If covered entities collect health information about an individual, then that patient must be able to know it and access it too (the OCR insists).
How to Respond to a Patient's Request?
Verify the identity of the patient before complying with the access request. The HIPAA Privacy Rule mandates this verification process.
- Verification cannot become a barrier to an authentic patient's entry. Ensure to provide timely access to requests submitted via a web portal, email or phone, or home address.
To provide patients with access to their information in their preferred format is part of a "reasonable" verification requirement. The HHS guidance explains that "…covered entities are encouraged to offer individuals multiple options for requesting access." In essence, the covered entity is supposed to accommodate:
- if a patient requests their records in a paper copy format (even if those records are electronically stored).
- if a patient requests their protected health information in an electronic format (even if those records are maintained on physical paper).
- if the preferred format is not readily available, the covered entity is expected to collaborate with the requester and discover a readable alternative instead.
Did you know that a patient could agree to receive a summary or overview of the PHI instead?
- Perhaps a useful alternative to consider, rather than providing an actual records copy (assuming the patient agrees). However, the patient must understand any reasonable fees to generate that records summary and willingly accept the transfer mode.
HHS guidance indicates that email and mail are widely adopted enough (i.e.,
"readily producible by all covered entities") so these formats are not too
significant of a security risk to prevent.
HCP Recommendations for HIPAA Compliance
The time factor is an emphasized requirement to protect
your organization. Our compliance advisors urgently advise delivering patient requests
as quickly as reasonably possible to protect your organization.
"The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible," - HHS Guidance
The regulators operate with the following assumption: covered
entities can offer patients convenient electronic access (therefore "almost instantaneous"
"Further, individuals may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day-to-day operations." - HHS Guidance
A time extension can be requested by the covered entity. If information might be not readily accessible or stored in an offsite archive, and the covered entity is unable to offer access within the 30-day limit, then a one-time extension of 30 days can be made once per case. However, we strongly advise to avoid this. Please consult with a compliance advisor on the specifics of requesting an extension if you need assistance.
A "cost-based fee" is the core concept for providing individuals with a copy of their PHI. Keeping the fee affordable is a secondary requirement for the right of access. The HIPAA Privacy Rule permits a fee for only the cost of:
1. Labor for copying the PHI requested by the
patient (including electronic or paper format)
2. Physical material creating the paper copy or
electronic form (such as USB drive or portable media format)
3. Shipping postage for when a summary or
explanation (if requested by mail)
4. Preparing the summary or explanation of the PHI (if
the patient agrees to this alternative)
However, the guidance indicates how this service fee may not
include the cost of:
- Processing verification
- Searching or retrieving PHI
- Maintaining IT systems
- Recouping capital for data access, storage, or infrastructure
- "…or other costs not listed above even if such costs are authorized by State law"
For more detailed information about the right of access provision itself, HCP recommends glancing through this HHS Guidance on the HIPAA Right of Access (including who can request access, defined exceptions, and a plethora of scenarios to consider).
Save valuable time when verifying if your organization remains compliant through changes. HIPAA represents a continuous process of
correction, and you're not alone in this marathon!
Are you an HCP Client? Login to
your HCP Portal or contact your dedicated support team when you have questions to
ensure your organization remains protected.
Not an HCP Client Yet?
Don't wait for a compliance issue to arise. Take proactive steps today to safeguard your organization. Our team at HCP is dedicated to guiding you through the complexities of HIPAA compliance, ensuring that your organization not only understands but excels in meeting these critical requirements.
Connect with us to help you understand the requirements, meet those rules, and protect your organization.