Provider Confusion Often the Cause of Patient Access Rights Violations

Many healthcare providers are unclear as to when a request is made by an individual pursuant to a HIPAA authorization versus a HIPAA access request, particularly when a patient wants records to be sent to a third party, a HIPAA compliance officer at a law firm explained.

Significant changes are occurring in the enforcement of patients’ access rights to their health information in a reasonable timeline. On February 12, 2021, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) announced its 16th settlement of an enforcement action in its HIPAA Right of Access Initiative. The amounts of these settlements vary, and many more settlements may follow for a host of reasons.

In this case, Sharp HealthCare agreed to take corrective actions and pay $70,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. The company, based in California, provides healthcare through 4 acute care hospitals, 3 specialty hospitals, 3 affiliated medical groups, and a health plan. In June 2019, a complaint was filed with OCR alleging that the company failed to take timely action in response to a patient’s records access request directing an electronic copy of protected health information (PHI) in an electronic health record (EHR) be sent to a third party.

OCR provided the company with technical assistance on the HIPAA Right of Access requirements. In August 2019, OCR received a second complaint alleging that the company still had not responded to the patient’s records access request. OCR initiated an investigation and determined that the company’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard.

As a result of OCR’s investigation, access to the requested records was completed. “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right,” Acting OCR Director Robinsue Frohboese said in a press release. In addition to the monetary settlement, the California company will undertake a corrective action plan that includes 2 years of monitoring.

Ritu Agarwal, PhD, Distinguished University Professor in the Robert H. Smith School of Business at the University of Maryland in College Park, and co-director of the school’s Center for Health Information and Decision Systems (CHIDS), said current settlements and proposed corrective actions are long overdue. “It’s difficult to comment on the size of the settlement without a deeper understanding of the loss incurred by the requesting patient,” Dr Agarwal said.

Higher Settlement Amounts Possible

Elizabeth G. Litten, Chief Privacy and HIPAA Compliance Officer for the law firm of Fox Rothschild LLP, in Princeton, New Jersey, said many providers are unclear as to when a request is made by an individual pursuant to a HIPAA authorization versus a HIPAA access request, particularly when a patient wants records to be sent to a third party. “These combined factors have led to a ‘perfect storm’ for noncompliance, so the number of OCR investigations and settlements is not surprising,” Litten said. “The relatively low settlement amounts are likely attributable to the fact that many instances of noncompliance likely stem from confusion on the part of the provider rather than negligence or willful noncompliance.”

She said she expects investigations and settlements to continue, particularly as the Office of the National Coordinator for Health Information Technology (ONC) blocking rules take effect and individuals request access via health apps and other newer technologies. “We may see higher settlement amounts, if large covered entities or business associates do not provide access in accordance with HIPAA and the ONC rules,” Litten said.

This article originally appeared on Renal and Urology News