A simple rule for avoiding expensive Patient Right of Access fines, and taking notice of compliance signs that trouble may be ahead
Maintaining a profitable medical practice in today’s economy is a challenge. One costly mistake can be avoided if you know the rules.
The “patient right of access” is a rule you should learn if you’re not familiar with it, and follow to avoid big fines. It’s a top priority for the Office for Civil Rights (OCR), the agency that enforces HIPAA. OCR has a new “Right of Access Initiative” and has settled two big cases recently.
Bayfront Medical, a Florida hospital, became the first to get hit by the federal government’s push to improve patient access to records. They paid an $85,000 settlement and agreed to a corrective action plan because they ignored this HIPAA rule and compliance signs. Then in December, OCR announced its second case, another $85,000 settlement and corrective action plan, with Korunda Medical, a Florida company providing primary care and pain management.
Records access rules
When patients ask for information about their own medical treatment, they should receive it promptly, easily and at minimal to no cost.
At Bayfront Medical a pregnant mother wanted information about her unborn child’s heart rate, so she asked, and asked, and asked again. Bayfront Health St. Petersburg was slow, didn’t reply, and didn’t prioritize her request. Nine months later federal regulators started to investigate, and she finally got her answer, although HIPAA requires that records be provided within 30 days.
This right to patient records extends to parents who wish to obtain medical information about their minor children, and in this case, a mother who sought prenatal health records. In addition to the $85,000 settlement, Bayfront agreed to a corrective action plan, requiring OCR oversight for three years to make sure they follow HIPAA.
At Korunda Medical it was a simple ask: “Please email my medical records to my new physician.” But Korunda Medical didn’t take its patient request seriously or heed the compliance signs.
The resulting OCR investigation cost Korunda, a health care provider serving more than 2,000 patients, $85,000 and a lot of bureaucratic headaches in the form of a lengthy corrective action plan.
Instead of simply sending a secure digital version of its patient’s records as required by HIPAA, Korunda stalled, overcharged for the records, and ultimately sent the document in the wrong format. Bayfront and Korunda could have avoided this liability had they known the rules — step-by-step rules which are easy to follow.
Compliance signs: what does ‘Right of Access’ look like?
It should be fast, easy and convenient.
Individuals should be able to view or obtain a copy of their medical information contained in a “designated record set.” That means a broad range of information used to make decisions, including medical, billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes.
There are a few limited exceptions to the right of access. Examples include:
- Psychotherapy notes;
- Records that are part of a research study still in progress;
- Information compiled for a legal proceeding.
Patients are entitled to their records no matter where they’re located. If the records are held by a business associate (like a billing vendor or practice manager), the business associate agreement usually says whether the business associate may give them directly to the patient, or should give them to the covered entity to send to the patient.
Patients may request the information from their health care provider or health plan, who must provide it in the format requested — paper or electronic, and delivered by mail or email. They may direct that the information be delivered to a designated third party — a family member, a personal health record service or mobile health application.
The provider should deliver promptly, but in no more than 30 days. When longer time is needed, they should inform the individual of the reason, but take no longer than an additional 30 days. Any fee for providing records should be reasonable and cost-based, e.g., minimal.
Three common problems are providers failing to send records via email when requested, taking more than 30 days, and charging too much.
Another issue plagues health care providers — they often confuse HIPAA right of access with authorization. No patient authorization or form is needed.
HIPAA Right of Access is an OCR priority
OCR Director Roger Severino warned in December of last year that the Bayfront and Korunda cases are the first examples, and OCR will continue to investigate similar claims.
“For too long, health care providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia,” Severino said. “We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up health care providers to their obligations under the law.”
Check your state rules
HIPAA preempts state law except when state law is more stringent, so always look to your state law also when it comes to medical records, access and privacy.
In California, for instance, records must be produced within 15 days of the request. How fast is your business heeding the compliance signs with records requests? Do you have a plan?
If the answer to any of these questions makes you nervous, think about getting help to get your HIPAA house in order and keep up with the latest hot-button HIPAA topics. Learn the basics to avoid big fines.
MAGGIE HALES, JD, is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up-to-date policies, forms and training on everything related to HIPAA compliance. Learn more about easy steps to compliance at thehipaaetool.com.
