David Brust, Class of 2022, Belmont Law
On September 10, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that it settled its twentieth HIPAA Right of Access Initiative investigation. The investigation stemmed from a March 2020 complaint made by a parent alleging that Children’s Hospital & Medical Center (CHMC) in Omaha, Nebraska “failed to provide her with timely access to her minor daughter’s medical records” despite multiple requests. To settle this potential HIPAA Privacy Rule violation, CHMC agreed to pay OCR $80,000 and to take corrective actions. These corrective actions include CHMC updating procedures for providing individuals with their health information, training its workforce on receiving, reviewing, processing, or fulfilling records requests, and reporting to HHS any future compliance failures.
Under the HIPAA Privacy Rule, covered entities are required to allow individuals to access their medical records and other private health information (PHI). Typically, covered entities, such as health care providers, require the individual to request their medical records in writing before the information will be provided. Once an individual requests their medical records, the covered entity has thirty calendar days, from receiving the request, to provide the individual access to their medical records. The covered entity may extend this deadline for another thirty calendar days one time per request. Additionally, covered entities may only impose reasonable costs to cover the labor of copying the PHI, the supplies used for making the copy or electronic media, the postage if mailed, and the preparation of a summary of the PHI. Failure to comply with the rules regarding an individual’s request for PHI can result in a violation of the HIPAA Privacy Rule.
In 2019, OCR announced that it would begin the Right of Access Initiative. The aim of the initiative is to enforce individuals’ rights to access their health information in a quick and easy way. As stated, since the initiative began, OCR has now settled twenty investigations of covered entities failing to provide individuals with their health information in a timely manner. These settlements have ranged from as low as $5,000 to $200,000. The most recent settlement was the seventh settlement in 2021 alone, and brings the total amount recovered in 2021 to $525,000. OCR has made it clear that it intends to keep enforcing the right of individuals to access their health information. Thus, covered entities should review their policies regarding fulfilling individuals’ requests for health information to make sure they comply with the HIPAA Privacy Rule and avoid potential hefty settlements with OCR.