We’ve discussed the US Department of Health and Human Services Office for Civil Rights’ “HIPAA Right of Access Initiative” in several previous articles. On May 8, the 44th enforcement action under the Initiative involved investigating a complaint against a Licensed Professional Counselor (LPC) who allegedly refused to release medical records. Despite receiving technical assistance from the OCR, the counselor, as a covered entity, reportedly did not provide the records.
OCR Director Melanie Fontes Rainer stated:
Under HIPAA, parents, generally being the personal representatives of their minor children, have the right to access their children’s medical records. It’s unacceptable for an individual or their parent representative to wait nearly six years and file multiple complaints just to get patient records.
HIPAA rules can be complex, particularly for smaller providers, but they have existed for almost three decades. Although the intricacies of HIPAA privacy, security, and breach notification requirements might still be fuzzy to some providers, compliance with the law is mandatory for all HIPAA “covered entities.”
Adherence to HIPAA goes beyond simply providing patients with a Notice of Privacy Practices or having a secure electronic medical record system. This is true for licensed people: telehealth, teletherapy, and traditional in-person providers who use electronic services, such as billing, email, texting, etc. Associated uncertainties can be challenging to remedy, especially for small groups or independent practitioners who often serve as their own HIPAA Compliance Officers.
Details of the LPC’s Right of Access Settlement
The recent OCR settlement of the recent LPC case involving the Right of Access Initiative concluded with a $15,000 resolution and a requirement to adhere to a two-year corrective action plan (CAP). The OCR typically offers assistance, and if a fine is considered against small practices, they tend to be in this penalty range.
The CAP mandates the following for the LPC:
- Update right to access policies within 30 days post-settlement, and adopt any changes OCR recommends
- Develop and submit to OCR training materials on the right to access within 60 days post-settlement for review and approval
- After OCR approves training materials, provide training to all staff within 30 days and annually
- Deliver the requested records to the complainant within 15 days post-settlement
- Submit a detailed list of access requests received and any documentation for access denials to OCR every 90 days, beginning 90 days after receiving OCR’s approval of the right-to-access policies and procedures
- Notify OCR within 30 days if an employee fails to comply with the right-to-access policies, including a description of the failure and a plan to rectify the issue
- Submit a report to OCR summarizing the implementation status within 120 days after OCR approves of the provider’s right to access policies and procedures
- Provide an annual report on the healthcare provider’s compliance with the CAP to OCR within 60 days after the end of each year of the CAP.
Telehealth Complications of the Right of Access Initiative
During COVID, many learners joining training at Telehealth.org were quite surprised to learn that HIPAA did not “go away.” While enforcement was relaxed for some aspects of HIPAA’s many laws, such as those involving a provider’s selection of telehealth video conferencing platforms, HIPAA did not go away. Enforcement was relaxed, meaning the OCR would look the other way until the pandemic was adequately addressed. Far from asleep at the wheel, the OCR turned its attention to other pressing issues, such as enforcing the HIPAA Right of Access Initiative. In the last few years alone, the OCR has addressed this same issue in 44 cases.
HIPAA vs. State Privacy Laws
One of the complicating issues for providers wishing to serve traveling clients is that the clinician must adhere to all state and federal laws applicable to the client’s jurisdiction at the time of the session – and not just those in their home state.
- A clinician living in a state allowing the clinician to own the record may erroneously believe that clients in other states at the time of the session fall under the same set of rules. They do not.
- Rather, the laws of the state the client occupies during the session will determine the applicable law.
Regardless of the state or the provider, the OCR is separate from state law, and COVID or not, clients claiming the right of access will usually prevail.
What is the Relationship between HIPAA and the OCR?
The US Department of Health and Human Services’ Office for Civil Rights (OCR) is the federal agency responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) laws. The relationship between HIPAA and the OCR is one of regulation and enforcement. OCR has the authority to investigate complaints related to HIPAA violations, conduct compliance reviews, and take enforcement actions, which can include the imposition of civil monetary penalties.
Specifically, the OCR enforces the following:
- The Privacy Rule protects the privacy of individually identifiable health information;
- The Security Rule sets national standards for the security of electronic protected health information;
- The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and
- The Right of Access Initiative ensures that patients and their authorized representatives can promptly and affordably access their health records.
Through these activities, the OCR helps ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide high-quality healthcare and protect the public’s health and well-being.
What is the HIPAA Right of Access Initiative?
The HIPAA Right of Access Initiative focuses on ensuring that patients and their authorized representatives can promptly and affordably access their health records as mandated by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
HIPAA stipulates that individuals have the right to review or receive copies of their protected health information (PHI) held in a designated record set, with some exceptions. This includes medical records, billing records, and other records used by healthcare providers to make decisions about individuals.
Under this Initiative, OCR seeks to hold healthcare providers accountable for violations of this right, which may involve failure to provide access to medical records in a timely manner, charging more than the reasonable, cost-based fees allowed under HIPAA, or failing to send health records to designated third parties when requested by the individual.
While a comprehensive review of the HIPAA rules of relevance to behavioral providers is beyond this article, this Telehealth.org training program can help to clarify many of the complicated requirements for complying with HIPAA.