In 2019, the U.S. Department of Health & Human Services, Office for Civil Rights (OCR) announced its Right of Access Initiative, promising to prioritize patients’ rights to receive timely copies of their medical records without being overcharged. In the three years since, which saw the transition to a new administration in Washington, OCR has publicized resolutions related to 41 Right of Access claims, including two civil monetary penalties (CMP) and 39 settlements totaling $2,428,650. In BakerHostetler’s 2022 Data Security Incident Response (DSIR) Report, we highlighted OCR’s ongoing commitment to its Right of Access Initiative, fully expecting the trend would continue, and also provided a high-level list of red flags based on the resolution agreements published at the time. In this blog post, we take a deeper dive into OCR’s enforcement actions under this initiative to date, including major themes and shifts in approach.
Right of Access Generally
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule sets forth an array of individuals’ rights over their health information, including the right to access their medical records. See 45 CFR § 164.524(a)(1). According to OCR, “providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being.” It also puts “individuals in the driver’s seat [and] is a key component to…a more patient-centered healthcare system.”
Subject to limited exceptions, the Privacy Rule requires that HIPAA covered entities permit individuals and their designated representatives the right to inspect and/or obtain a copy of their medical record upon request as well as the right to transmit the requested information to a third party, such as an attorney or caretaker. The Privacy Rule outlines the following standards and implementation specifications with respect to an individual’s Right of Access:
- Scope. Individuals have the right to access protected health information (PHI) maintained in a designated record set. HIPAA broadly defines “designated record set” to include medical records and billing records maintained by a provider; enrollment, payment, claims adjudication, and case or medical management record systems maintained by a health plan; and other records maintained and used by a covered entity to make decisions about an individual. See 45 CFR § 164.501 (emphasis added). Individuals do not have a right to access psychotherapy notes or information that is compiled in anticipation of an administrative action or legal proceeding. See 45 CFR §§ 164.524(a)(1)(i)-(ii).
- Timeliness. Within 30 calendar days of receiving a request, a covered entity must respond by (i) providing the requested access, (ii) providing a written denial explaining the basis for the denial, and/or (iii) informing the individual that an extension of up to 30 days is necessary to fulfill the request. Per OCR guidance, the 30-day time frame is an “outer limit” and covered entities are encouraged to respond to access requests as soon as possible. Importantly, state law might require a more expeditious response than HIPAA’s 30 days. The same OCR guidance reiterates that HIPAA does not preempt state laws that provide individuals with greater access rights and are not contrary to HIPAA.
- Form of Access. The Privacy Rule requires covered entities to give access to PHI in the form and format requested by the individual (e.g., electronic or paper, type of file, etc.). If the designated record set is not readily available or producible by the covered entity in the requested form or format, the covered entity and individual must agree on an alternative means of production. OCR has stated that it expects all covered entities to have the ability to transmit PHI by mail or email, such that PHI can be readily producible in these formats. As a result, OCR has also stated that a covered entity cannot require that an individual travel to its physical location to obtain a copy of a requested medical record.
- Fees. Individuals can only be charged for the cost of (i) labor for copying the requested PHI (whether in paper or electronic form); (ii) supplies for creating a paper copy or using a device (e.g., a USB drive); (iii) postage for mailing paper copies; and (iv) labor for preparing an explanation or summary of the responsive PHI. Many of these costs are only permitted if the activity to which the cost relates was requested by the individual. Other costs cannot be charged, even if permitted by state law.
- Written Requests. While covered entities can control the options available to individuals to submit an access request, these options cannot create a barrier or cause unnecessary delay. Covered entities can require individuals to submit a signed access request in writing, but only if they have informed individuals of such a requirement.
- Third Parties. Individuals have the right to direct a covered entity to transmit their PHI directly to a designated third party. Contrary to requests for PHI by the individual who is the subject of the PHI, requests to direct PHI to a third party must be in writing, be signed by the requesting individual and clearly identify the third party to receive the information. Note, the fee limitations discussed above do not apply to requests to transmit records directly to a third party.
- Right to Deny. In limited circumstances, a covered entity can deny, in whole or in part, an individual’s request for access to his or her records. For certain denials, individuals have the right to request that a licensed healthcare professional not involved in the original decision review the denial. There are grounds for a denial that are non-reviewable as well, such as when the request seeks psychotherapy notes. Whether the request is reviewable or not, covered entities must explain the denial in plain language, explain the individual’s right to review, as applicable, and provide details on how the individual can submit a complaint to OCR.
Summary of Enforcement Actions to Date
This chart provides a high-level overview of OCR’s Right of Access enforcement actions by year. As noted above, OCR first announced its Right of Access Initiative in 2019, with the first enforcement action being publicized in September of that year. Accordingly, the numbers for 2019 span only a four-month period. Additionally, the numbers for 2022 are as of September 30.
Themes and Enforcement Approach
Looking to the chart, the number of times OCR provided technical assistance between 2020 and 2021 stands out. Technical assistance generally comes in the form of a letter or email and includes a summary of the complaint, references to applicable HIPAA provisions and guidance on how to comply with the same. These letters administratively close OCR’s investigation (typically including language like, “On [date], OCR provided technical assistance to the Covered Entity regarding the applicable provisions of the Privacy Rule.… Based upon the information and evidence obtained during OCR’s investigation, we have determined not to investigate this matter further and are closing our investigation as of the date of this letter.”). Of the 11 Right of Access enforcement actions announced in 2020, OCR first issued technical assistance to the covered entity and closed the complaint in six — over 50% —of the matters. It was not until OCR received a second complaint from the individual, stating they still had not received the requested records, that OCR initiated a second investigation, which then resulted in a fine. Thus, at the end of 2020, healthcare professionals may have expected they would get at least one “free pass” from OCR for Right of Access issues. However, in 2021, OCR issued technical assistance in only a third of the enforcement actions. Thus far in 2022, OCR has issued technical assistance only once.
This does not mean covered entities subject to an investigation stemming from a Right of Access complaint should expect to be fined. The resolution agreements don’t always provide much insight into what pushes OCR to close its investigation versus not close it. Rather, this shift in OCR’s enforcement strategy reinforces the need for covered entities to continue prioritizing their processes as they relate to access requests.
While the decrease in overall total resolution amount (down 44% in 2021 from 2020) may stand out, this is largely attributable to the fact that enforcement actions for Right of Access complaints generally produce lower settlements. What is more notable is the fact that 2021 saw its first CMP and the highest Right of Access settlement yet. Already in 2022, however, OCR has kept on par, issuing another CMP and upping the highest Right of Access settlement from $200,000 to $240,000.
Finally, another notable point not relayed in the above chart is that OCR’s Right of Access Initiative has encompassed organizations of all types and sizes — from large health systems to small dental practices to sole proprietors. As newly minted OCR Director Melanie Fontes said when announcing the most recent Right of Access resolutions, all of which involved dental practices, “these [actions] send an important message to [practices] of all sizes that are covered by the HIPAA Rules to ensure they are following the law.”
What to Expect
With nothing to suggest otherwise, we expect the Right of Access Initiative will continue to reign as OCR’s top enforcement priority. If the past three years weren’t indication enough, the proposed changes to the HIPAA Privacy Rule should be. Specifically, in 2018, OCR issued a request for information (RFI) seeking comments on potential changes to the HIPAA Rules. Subsequently, in 2020, OCR issued a Notice of Proposed Rulemaking outlining potential changes to the Privacy Rule based on comments it had received in response to its 2018 RFI. As they relate to the Right of Access, the proposed updates include, in part:
- Cutting the response time frame in half. Covered entities will be expected to act on access requests within 15 calendar days, though they may exercise a 15-day extension. This is in comparison with the current 30-calendar-day response time frame and 30-day extension.
- Allowing individuals to inspect their record in person and take photos, videos and/or notes.
- Allowing individuals to direct a covered entity to transfer PHI to a personal health application used by the individual.
The date the Final Rule will be published and when organizations subject to HIPAA will be expected to be in compliance are yet to be announced. However, given the significant impact the proposed changes could have on access requests, covered entities should at least be considering what operational challenges they may face as a result and how to overcome them.