The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced last week that it entered into a Resolution Agreement with a Florida medical center (“Medical Center”) following allegations that the Medical Center failed to respond to a patient’s request for medical records in a timely fashion and in violation of the patient’s right to access such records under HIPAA. While the $85,000 settlement amount is relatively small in comparison to the seven-figure settlements that OCR has entered into in recent years, this enforcement action is notable for being the first related to OCR’s Right of Access Initiative launched earlier this year. The OCR Right of Access Initiative seeks to enforce patients’ right to receive copies of their medical records promptly and without being overcharged.

The Settlement

OCR initiated an investigation into the Medical Center following its receipt of a complaint from a mother who requested access to her unborn baby’s medical records under the HIPAA right of access. The HIPAA right of access extends to personal representatives of the patient, such as parents of minor children. The mother first requested access to her baby’s medical records in October 2017, at which point the Medical Center informed the mother that the records could not be found. The mother’s attorney subsequently requested the records on her behalf in January 2018 and again in February 2018. The Medical Center did not provide the mother with a complete set of records until August 2018, after she had already submitted her complaint to OCR and OCR’s investigation had commenced.

According to the Resolution Agreement, OCR’s investigation revealed that the Medical Center failed to provide the mother with access to protected health information pursuant to the HIPAA right of access set forth at 45 C.F.R. § 164.524, which requires covered entities to provide individuals with access to their medical records and other protected health information maintained in a designated record set within 30 days of the individual’s request for such records.

In addition to the $85,000 monetary settlement, the Medical Center agreed to a one-year Corrective Action Plan (CAP) that requires the Medical Center to, among other things, revise and implement policies and procedures regarding patient access to medical records and train its workforce on such policies. Notably, the CAP also reaches to the Medical Center’s business associates involved in receiving or fulfilling medical records requests in several ways. First, the Medical Center’s business associates must certify compliance with the Medical Center’s revised policies and undergo training on such policies. Second, the Medical Center must provide OCR with the names of its business associates involved in receiving or fulfilling medical records requests, and copies of its business associate agreements with such vendors. Third, in addition to reporting to OCR each instance where its own workforce member fails to comply with its revised policies, the Medical Center must also report to OCR each instance of a business associate failing to comply with the policies.

The Takeaways

OCR has made clear through last week’s settlement that it intends to hold covered entities accountable for providing patients with access to their medical records under HIPAA. Healthcare providers and plans should ensure that they have the written policies and procedures, as well as the operational infrastructure, needed to respond to medical records requests in a manner that complies with both HIPAA and applicable state law.

While HIPAA sets a “floor” of requirements regarding patients’ rights to access medical records, the laws in many states are more stringent than HIPAA on this issue, particularly with respect to how quickly records must be provided. For example, physicians in California must provide patients with copies of requested medical records within 15 days of the patient’s request, which preempts HIPAA’s 30-day time frame. Additionally, many states establish specific fee schedules that further limit the HIPAA “reasonable, cost-based fee” that healthcare providers may charge for fulfilling a records request. Healthcare providers and plans should also take note of the state laws on access requests that may apply in addition to HIPAA.

For help with responding to a HIPAA complaint or investigation initiated by OCR or a state attorney general; developing or updating a HIPAA compliance program, including policies and procedures on fulfilling access requests and establishing permitted charges for doing so; or any other related inquiries, please contact one of the authors.