Right of Access ViolationsThe US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has continued to press its enforcement efforts in support of patient’s right to access to records, in the midst of the COVID pandemic-related relaxation of enforcement for some of HIPAA’s other privacy and security rules. The OCR has recently announced twelve Right of Access Violations.

The OCR HIPAA Right of Access Initiative was announced in 2019 in response to mounting complaints by patients who were being denied access to their records by their healthcare providers and organizations. These groups are known as “covered entities,” and further defined here.

What is the HIPAA Right of Access Initiative?

The right to one’s health records in the United States is classified under the HIPAA Privacy Rule and is explained here. The 2019 Office for Civil Rights announcement of the HIPAA Right of Access Initiative gave:

  1. support to individuals’ right to timely access to their health records at a reasonable cost and
  2. enforcement priority to cases involving refused access to patient records. In short, individuals have a right to access Protected Health Information (PHI) in a “designated record set,” which is defined at 45 CFR 164.501 as:

…A group of records maintained by or for a covered entity that comprises the:

  • Medical records and billing records about individuals maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

In response to a request for access, a covered entity is not required to create new information, such as explanatory materials or analyses.

What Are Being Considered Right of Access Violations?

Since 2019, twelve separate enforcement actions related to the HIPAA Right of Access Initiative have been announced by OCR. These actions typically involve fines and corrective action plans. The timeline shows that the OCR is not taking its foot off the gas pedal:

  • In a July article called OCR Settlements on the Rise as HHS Resumes Enforcement, TBHI reported that two HIPAA law enforcement settlements were reported by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) for a variety of right of access violations, including:
    • Failure to conduct any risk analyses
    • Failure to implement policies and procedures
    • Failure to provide workforce members with security awareness training
    • Failure to encrypt ePHI on laptops when it was reasonable and appropriate to do so
    • Failure to implement media and device controls
    • Failure to have a business associate agreement
  • Just three weeks ago, TBHI announced in its weekly email newsletter that five more right of access violations were recently announced by OCR because covered entities refused to grant the right of access to clients or patients who request records. See 5 HIPAA Violation Fines for Failing to Grant the Right of Access for details.
  • This week, yet another OCR report announced its tenth enforcement action in its HIPAA Right of Access Initiative. In OCR Settles Tenth Investigation in HIPAA Right of Access Initiative, Riverside Psychiatric Medical Group (“RPMG”) has agreed to take corrective actions and pay $25,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.  RPMG, based in Riverside, California, is a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders. The OCR report explains:

OCR initiated an investigation and determined that RPMG’s failure to take action in response to the individual’s request was a potential violation of the HIPAA right of access standard.  RPMG claimed that because the requested records included psychotherapy notes, they did not have to comply with the access request.  While the HIPAA Rules do not require production of psychotherapy notes, they do require covered entities (1) to provide requestors a written explanation when it denies any records request in whole or in part (which RPMG did not do), and (2) to provide the individual access to his or her medical records other than psychotherapy notes (and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding).  

As a result of OCR’s investigation, RPMG sent the individual all the requested information in her medical record, excluding psychotherapy notes, in October 2020.

“When patients request copies of their health records, they must be given a timely response, not a run-around,” said OCR Director Roger Severino.

Who Is Being Targeted by OCR for these Right of Access Violations?

Disciplinary action for right of access violations are being reported against all classes of covered entities, from individual practitioners to large medical groups. In a standard HIPAA law enforcement approach, the OCR targets a variety of violators to make it clear that no one is exempt. Consider these two most recent announcements as an example of each class of violator, from smallest to largest:

Dr. Rajendra Bhayani, who is a private practitioner specializing in otolaryngology in Regal Park, New York, has agreed to take corrective actions and pay $15,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

The University of Cincinnati Medical Center, LLC (UCMC), is an academic medical center providing healthcare services to the Greater Cincinnati community. In May 2019, OCR received a complaint alleging that UCMC failed to respond to a patient’s February 22, 2019, records access request directing UCMC to send an electronic copy of her medical records maintained in UCMC’s electronic health record (EHR) to her lawyers.  OCR initiated an investigation and determined that UCMC failed to timely provide a copy of the requested medical records in potential violation of the HIPAA Rules, which include the right of patients to have electronic copies of records in an EHR transmitted directly to a third party.  As a result of OCR’s investigation and intervention, the complainant received all of the requested medical records in August 2019. UCMC has agreed to take corrective actions and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

HIPAA and Law Enforcement Take-Away Lesson for Telehealth Providers

Take-away lessons for readers of this article may be different for different readers.

  • Providers: Telehealth professionals serving citizens of the United States may want to learn HIPAA’s relevance to their telehealth practices. (See Basic Telehealth Legal Issues: Rules, Regulations & Risk Management.)
  • Faculty & Supervisors: Graduate program faculty and/or supervisors may want to consider developing interactive tasks for graduate students by visiting the “HIPAA Wall of Shame” to identify HIPAA violators and types of infractions reported by CMS. This OCR-developed tool is designed to serve as a warning for all who have not understood or heeded HIPAA since 1996. While reviewing the long list of named violators is an eye-opener, it may be most impactful to review the remarkable list of right of access violations that are being disciplined.

Provider beware. Ignorance is not a defense in the face of the law.

To learn solid telehealth models, consider the evidence for competency-based telehealth training.