The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has settled its tenth HIPAA Right of Access Initiative case against the Riverside Psychiatric Medical Group (RPMG). HIPAA, the Health Insurance Portability and Accountability Act of 1996, is U.S. legislation created to improve health coverage standards and combat fraud and abuse related to protected health information (PHI).
RELATED: What is HIPAA? Or is it HIPAA?
OCR enacted the Right of Access Initiative in 2019 to support individuals seeking access to their PHI under the HIPAA Privacy Rule. In this blog, we will explore more about the Privacy Rule and the Right of Access Initiative as well as what its enforcement means for HIPAA covered entities (CEs).
The HIPAA Privacy Rule and Right of Access
The HIPAA Privacy Rule, enacted in 2003, establishes national guidelines regarding how CEs protect medical records—i.e., PHI and electronic PHI (ePHI). In other words, it sets the standards for HIPAA compliance. Under the rule, CEs must establish appropriate safeguards and set limits on PHI use and disclosure.
Furthermore, the Privacy Rule also spells out patients’ rights on how to understand and control (i.e., access) their health information. Upon request, a CE must provide a patient his/her PHI, called a designated record set, within 30 days. It may only charge a reasonable cost-based fee. OCR defines a designated record set as a group of records that comprise:
- Medical and billing records
- Enrollment, payment, claims adjudication, and case or medical management record systems
- Other records used by a CE to make decisions about an individual
The Privacy Rule also excludes some records, such as those kept to make certain quality assessments or general business decisions. This includes two “expressly excluded” categories:
- Psychotherapy notes—personal notes written by a mental healthcare provider
- Information compiled in anticipation of a civil, criminal, or administrative action or proceeding
What is the HIPAA Right of Access Initiative?
OCR announced the HIPAA Right of Access Initiative as an enforcement priority in 2019. The federal agency investigates all HIPAA violations, whether due to a security breach, noncompliance, or an error in right of access denial.
According to the Initiative’s guidance, “Putting individuals ‘in the driver’s seat’ with respects to their health . . . is a key component of health reform and the movement to a more patient centered health care system.” The first OCR case, settled in September 2019, was against Bayfront Health St. Petersburg for failure to provide a mother timely access to her unborn child’s records. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino within the press release. “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” And since the first case, OCR has settled 10 more:
- Korunda Medical, LLC (December 2019)—failure to forward records to a third party
- Housing Works, Inc. (September 2020, with the next four)—failure to provide access
- All Inclusive Medical Services, Inc.—refusal to provide records
- Beth Israel Lahey Health Behavioral Services—failure to respond to a request
- King MD—failure to provide access
- Wise Psychiatry, PC—failure to provide access to a minor’s records
- Dignity Health (October 2020)—failure to provide access to a minor’s records
- NY Spine Medicine (October 2020)—failure to provide all PHI
The tenth Right of Access violation
RPMG, based in Riverside, California, is a group practice that specializes in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders. In March 2019, a patient complained to OCR that RPMG failed to send her requested PHI despite asking them repeatedly for two months. OCR contacted RPMG to assist, but the patient filed a second complaint in April after continual noncompliance. At this point, OCR initiated an investigation and found that RPMG failed to take action, committing a potential HIPAA violation.
RPMG claimed it did not comply because the records included psychotherapy notes, but the Privacy Rule states that denial must include a written explanation. Furthermore, the group could have sent the covered records. Neither was provided. RPMG finally sent the records (excluding the psychotherapy notes) in October 2020 after signing the resolution agreement, assenting to pay OCR $25,000 and enacting a corrective action plan.
ConclusionWithin OCR’s release for its tenth case, Severino further stated, “When patients request copies of their health records, they must be given a timely response, not a run-around.” In essence, this is the message behind the HIPAA Right of Access Initiative. CEs must:
- Comply with HIPAA right of access requirements
- Follow through if OCR offers assistance
- Provide either the records and/or a written denial in a timely fashion
- Be prepared to face an investigation, HIPAA violation, and monetary settlement
CEs need to review their HIPAA-related policies and procedures to ensure they are compliant and remain compliant at all times. Without a doubt, right of access is about delivering proper patient care, which is why OCR and HIPAA provide crucial guidance.