The Right of Access to Patient Records: An Overlooked Imperative
HIPAA has been with us now for two decades, and providers often complain about the burdens caused by compliance. Former U.S. Senator Larry Craig observed that what started out as a kernel of legislative intent “grew into a towering tree of regulatory complexity.” One of the challenges with compliance is that it’s complexity is heavily on the side of prohibitions: HIPAA is widely understood as a set of rules restricting the release or disclosure of protected heath information. In fact, an important initial purpose was to facilitate the release and disclosure of information as health insurance became more “portable.” Because that was to be done electronically, concerns over information privacy took center stage. Nevertheless, ease of access as employees moved from job to job was the initial goal of the legislation; under this federal law, patients have a near-absolute right of prompt access to their health information.
In recent years, the Office of Civil Rights (OCR) has received many complaints that providers are delaying, obstructing or refusing requests from patients for copies of their records. In these complaints, the compliance problem is not improper disclosure, but improper refusal to disclose. As an enforcement response, OCR announced its “Right of Access Initiative” in 2019. This focused regulatory initiative relies on educational interactions, imposing civil penalties, and publication of resolutions to address failures of providers to ensure that patients receive their records in a timely and efficient manner. Published resolutions suggest opportunities for process improvements that will reduce regulatory exposure and patient dissatisfaction.
The rules for patient access are not complicated. A provider must act on a request in not more than 30 days. If the provider elects to invoke one of a very few exceptions to the obligation to produce the requested records, the requesting party (either the patient or the patient’s personal representative) must be given a written explanation of the decision. If the records are to be produced, they must be produced within that 30 day period. If extenuating circumstances cause delays in production of the records, a single 30-day extension is available, but only if the provider notifies the requestor within the 30-day period that there will be a delay, the reason or reasons, and the date on which the records will be provided. In other words, it is not an automatic extra 30 days for no reason other than delay. Also, any fees charged must be limited to a reasonable cost-based amount.
There have now been twenty-nine published enforcement resolutions for the Right of Access Initiative: three examples are instructive. In the first, a small primary care practice received several requests from a patient for his records in late 2018 and early 2019. When the records were not provided, the patient filed a complaint with the OCR. In response, OCR provided educational guidance to the practice and closed the matter. In October of 2019, OCR received a second complaint; the patient had still not received his records. A second investigation was opened and even then, the patient did not receive the records until May of 2020, 18 months after the requests began. A penalty of $36,000 was imposed. In the second example, less egregious but less defensible, a large regional health system with a team of health information professionals was penalized $200,000 in resolution of complaints from two unrelated patients, each alleging that records requests were not responded to for more than 6 months. In the third example, in a resolution announced March 28, 2022, OCR imposed a $28,000 penalty and a two-year corrective action plan to resolve allegations that a psychiatric practice filed to provide records in a timely manner, imposed an excessive charge for the records, and had inadequate written policies for patient access to records.
Several themes emerge from these and the other twenty-six resolutions. First, do not delay when a patient requests records. Responses should be prompt and complete; few practices can justify taking more than a few days to respond, especially if the records are stored electronically. Second, charging anything for initial record requests poses more risk than it is worth, especially if records are provided electronically. The possibility that the charge will be found unreasonable is a regulatory risk; the likelihood that the patient will be annoyed at having to pay for their own information is a reputational risk. Third, every provider, regardless of size, should have written policies governing patient access to records. And fourth, when correspondence is received from the OCR, do not ignore it. That could add tens of thousands of dollars to a penalty and will typically result in the imposition of a corrective action plan of two years or more.
Lastly, the right of access is now augmented by the “Health Information Blocking” rules enacted as part of the 21st Century Cures Act. Those rules, and the additional enforcement options available to the government, will be covered in a later issue. Robert R. Harrison is a partner with Stilling & Harrison, PLLC, in Salt Lake City.
