As a HIPAA covered entity, behavioral health practices have an obligation to uphold the standards set forth by the HIPAA Privacy Rule, including the right of access. The right of access mandates that patients have the right to request copies of and view their protected health information (PHI), specifically a “designated record set.”
A “designated record set” includes the following:
- Medical records and billing records about individuals maintained by or for a covered health care provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
- These records include records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
Although patients have the right to access their medical information, if the covered entity believes that giving the patient access to their records will cause harm to the patient or others, they are permitted to deny access to the information. Particularly when it applies to the following:
- Psychotherapy notes
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding
- Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access
- Information held by certain research laboratories
What is Required by the HIPAA Right of Access
To be HIPAA compliant, covered entities must respond to patient requests within 30 days of receiving it. Additionally, records must be provided in the format requested by the patient, such as mail, email, USB, or CD. Lastly, providers cannot charge excessively for patients’ access, they can only charge for supplies and time it takes to complete the request, such as paper, toner, media, etc.
OCR Enforcement of the Right of Access
The Office for Civil Rights (OCR), the enforcement arm of the Department of Health and Human Services (HHS), has reached two separate settlements this year of $85,000 for noncompliance with the HIPAA right of access.
- Bayfront Health: the Floridian hospital was fined $85,000 in September 2019 for failing to provide health records requested by a patient’s mother. In October 2017, the woman requested the fetal heart rate monitor records for her child. After three separate requests to the hospital for the records, the hospital still had not provided her with records, leading her to file a complaint with OCR. In February 2019, after OCR intervened, the hospital provided the woman with the requested records. In addition to paying the fine, Bayfront must implement a corrective action plan and is subject to OCR monitoring for a year.
- Korunda Medical, LLC.: a primary care and pain management provider in Florida, was fined $85,000 in December 2019 for violating the HIPAA right of access. The OCR received complaints that Korunda repeatedly failed to provide patients with records in a timely manner, exceeding the 30 day period permitted by HIPAA. This wasn’t the first time OCR had received complaints about Korunda. Previously the OCR had provided Korunda with ‘technical assistance’ to ensure their compliance. However, they continued to fail to meet the requirements of the right of access. As such, in addition to the fine, Korunda is subject to OCR monitoring for one year, they must implement a corrective action plan, adjust their policies and procedures in line with HIPAA standards, retrain employees, and submit a list of patient record requests to the OCR every 90 days.