We have written several times about U.S. Department of Health and Human Services Office for Civil Rights’ “HIPAA Right of Access Initiative.” In its most recent enforcement action under the Initiative, the 44th such enforcement action, the OCR investigated a complaint made against a psychotherapist concerning the alleged refusal to provide medical records. Ultimately, and even after the OCR provided “technical assistance,” the OCR claimed the covered entity still failed to provide the records.
“Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer. “It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records.”
The settlement resulted in a $15,000 resolution amount and required compliance with a two-year corrective action plan (CAP). The CAP includes the following requirements for the solo practitioner:
- Review and revise right to access policies within 30 days of the settlement, and review and adopt OCR recommend changes to such policies.
- Provide to the OCR right to access training materials within 60 days of the settlement for OCR’s review and approval.
- Following OCR’s approval of the training materials, provide training to all employees within 30 days and annually thereafter.
- Provide the requested records to the complainant with 15 days of the settlement.
- Within 90 days of receiving OCR’s approval of the right to access policies and procedures, and every 90 days thereafter, submit to OCR a detailed list of requests for access received by the healthcare provider, and documentation for any denials of access.
- In the event an employee of the provider fails to comply with the right to access policies, the provider must notify OCR within 30 days and include a description of the failure and mitigation plan.
- Within 120 days after OCR’s approval of the provider’s right to access policies and procedures, submit to OCR a report summarizing the status of implementation.
- Within 60 days after the end of each year of the CAP, submit to OCR an annual report regarding the healthcare provider’s compliance with the CAP.
For small providers, the HIPAA rules can be confusing; they also are more than 20 years old. So, smaller practitioners, particularly those newer to practice, simply may not be fully aware of the scope and obligations under of the HIPAA privacy, security, and breach notification rules. Compliance goes well beyond handing patients a template Notice of Privacy Practices and having a secure electronic medical record platform.
The full scope of the HIPAA rules is beyond the scope of this post, but at least for the right to access and considering the OCR’s Enforcement Initiative, here are some resources to help avoid patient complaints and an onerous OCR corrective enforcement action: