The OCR Right of Access Initiative: A New HIPAA Compliance Perspective

HIPAA has been with us now for more than two decades, and providers often complain about the burdens caused by compliance, but patients have also been complaining; complaining that they cannot get copies of their medical records.   HIPAA privacy officers understand that the compliance complexity is heavily on the side of prohibitions: HIPAA is widely understood as being about restrictions on the use and disclosure of protected health information.  In fact, this federal law gives patients a near-absolute right of prompt access to their health information.

In recent years, the Office of Civil Rights (OCR) has received many complaints that providers are delaying, obstructing or refusing requests from patients for copies of their records.   In these complaints, the compliance problem is not improper disclosure but improper refusal to disclose.   As an enforcement response, OCR announced its “Right of Access Initiative” in 2019.   This focused regulatory initiative relies on educational interactions, imposing civil penalties, and publication of resolutions to address failures of providers to ensure that patients receive their records in a timely and efficient manner.   Published resolutions suggest opportunities for process improvements that will reduce regulatory risk and improve patient satisfaction.

The rules for patient access are not complicated.   A provider must act on a request in not more than 30 days. If the provider elects to invoke one of a very few exceptions to the obligation to produce the requested records, the requesting party (either the patient or the patient’s personal representative) must be given a written explanation of the decision.   If the records are to be produced, they must be produced within that 30 day period.   If extenuating circumstances cause delays in production of the records, a single 30-day extension is available, but only if the provider notifies the requestor within the 30-day period that there will be a delay, the reason or reasons, and the date on which the records will be provided.

Several useful observations emerge from published enforcement actions.   First, providers should not delay when a patient requests records.   Responses should be prompt and complete; few practices can justify taking more than a few days to respond, especially if the records are stored electronically.   Second, charging anything for initial record requests poses more risk than it is worth, especially if records are provided electronically.   The possibility that the charge will be found unreasonable is a regulatory risk; the likelihood that the patient will be annoyed at having to pay for their own information is a reputational risk.   Third, every provider, regardless of size, should have written policies governing patient access to records.   And fourth, when correspondence is received from the Office of Civil Rights, do not ignore it.   That could add tens of thousands of dollars to a penalty and will typically result in the imposition of a corrective action plan of two years or more.

For questions about the Right of Access Initiative or for help reviewing and updating privacy policies, contact Robert Harrison at [email protected].