OCR’s 2019 Right of Access Initiative Bears First Fruit

Hospital Agrees to Pay $85,000 for Failure to Provide Patient Timely Access to Records

by Margaret Young Levi and Kathie McDonald-McClure

On September 9, 2019, the Office for Civil Rights (OCR) announced its first settlement under its “Right of Access Initiative.” Without admitting any wrongdoing, a hospital has agreed to pay $85,000 to the United States Department of Health & Human Services (HHS) as a result of a 10-month delay in providing access to protected health information (PHI). Importantly, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to “act on” requests for access within 30 days of a request. The hospital also entered into a Corrective Action Plan (CAP) that required the hospital to implement, and train staff on, policies and procedures to ensure individuals have timely access to their requested PHI.

What led to the settlement? The patient raised the issue of untimely access in a complaint to the OCR on August 14, 2018. The patient alleged that on October 18, 2017, she requested her unborn child’s fetal heart monitor records from Bayfront Health – St. Petersburg (Hospital), a Florida hospital.  At the time of her OCR complaint, nine months had passed without receiving any records.  The reason given to the patient by the Hospital for not producing the records was that it could not find them.

Before filing the OCR Complaint, the patient’s counsel had also requested the records from the Hospital, twice.  In response to counsel’s first request, the Hospital provided an incomplete set of records in March 2018.  Finally, on August 23, 2018, just after the OCR Complaint was filed, the Hospital provided a complete set to counsel’s second request.  The Hospital ultimately provided the requested records directly to the patient on February 7, 2019.

What are the right to access requirements? HIPAA’s right of access regulations at 45 C.F.R. § 164.524(a) set forth a number of detailed requirements. As an initial matter, the right of access grants patients a right to inspect and obtain a copy of PHI about them in a “designated record set.” The individual has this right of access for as long as the PHI is maintained by the covered entity regardless of the date the information was created.  In other words, even if a provider is not required by law to maintain an individual’s medical records beyond a certain date, the right to access continues for as long as the provider keeps the requested records in paper or electronic form – onsite, remotely or archived.

The right of access generally applies to all PHI about the individual except for: a) psychotherapy notes, and b) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.  The right of access requirements also detail the grounds for denying access (along with reviewable and unreviewable grounds), the form, time and manner of access,  and the fees that can be charged for such access.

Regarding timely access, the regulations require that the covered entity must act on a request for access no later than 30 days after receipt of the request. By acting on the request, the covered entity must either: a) inform the individual that access is granted and provide the requested access; or b) if the request is denied in whole or in part, provide the individual with a written denial that states the basis for the denial, a statement of the review rights (if applicable) and how to exercise such rights, and a description of how to complain to the covered entity or to the OCR.

Why the focus on Right of Access?  According to the OCR’s Enforcement Highlights reported as of July 31, 2019, the OCR had investigated and resolved over 27,109 cases since April 2003 that required changes in a covered entity’s privacy practices and corrective action.  The third most frequently investigated compliance issue was lack of patient access to their protected health information.  In the OCR’s news release on its first right of access settlement, OCR Director Roger Severino stated, “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law. We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” The OCR’s 2019 Right of Access Initiative together with this recent settlement indicate that the OCR is taking a hardline position on violations of a patient’s right of access.

What should covered entities do to reduce noncompliance?

  •  Review the right of access regulation at 42 CFR §164.524.
  •  Review OCR guidance educating providers on the right of access, “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524.”  
  •  Review your policies and procedures to ensure they meet the rule’s requirements.
  • Train your staff to ensure they understand the right of access requirements and how to handle individual requests under your policies and procedures.

If you have questions and would like additional legal guidance on the right of access requirements, including assistance in drafting appropriate policies or in handling a particular request for PHI, feel free to contact a member of Wyatt’s Health Care Service Team.

Margaret Young Levi

Wyatt, Tarrant & Combs, LLP
520 West Main Street, Suite 1600
Lexington, KY 40507
Direct: (859) 288-7469
Fax: (859) 259-0649
Email: mlevi@wyattfirm.com

Kathie McDonald-McClure

Wyatt, Tarrant & Combs, LLP
500 West Jefferson Street, Suite 2800
Louisville, KY 40202
Direct: (502) 562-7526
Fax: (502) 589-0309
Email: kmcclure@wyattfirm.com


Additional resources for this article included the following: “HHS civil rights division enters first settlement over patient records,” by Susannah Luthi, Modern Healthcare (Sept. 9, 2019); “Bayfront Health to Pay $85K for Possible HIPAA Right of Access Violation,” by Jessica Davis, HealthITSecurity (Sept. 10, 2019); “OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative,” HIPAA Journal (Sept. 10, 2019).