“HIPAA Right of Access Initiative Continues!”

We have been following the OCR’s and HHS’ Right of Access Initiative over the past months and the investigations continue to climb. The purpose of the initiative is to support individuals’ right to access their health records in a timely manner.

The most recent settlement was against a healthcare organization who first “failed to take timely action in response to a patient’s records access request directing that an electronic copy of protected health information in an electronic health record be sent to a third party.” OCR then received a second complaint regarding the organization’s failure to respond to an access request.

The organization will pay a $70,000 settlement and will need to adhere to a corrective action plan. The plan includes developing policies and procedures regarding the right to access. We at BlueOrange always emphasizes the importance of policies and procedures to create clear expectations and instructions to all staff. A policy and procedure that outlines the process for handling a request to access PHI will help requests not fall through the cracks! Make sure to review your organization’s policies and procedures around the right to access and that all necessary staff has the opportunity to review them, as well.

Here is a reminder of what your formal process documents should include:

  • Any documentation that the patient needs to complete in order to request access.
    • A form that includes the following is advised:
      • Patient name and DOB
      • Contact information
      • Delivery Type (Printed or Electronic)
      • Records that are being requested
      • How the organization will notify the patient when their records are ready for pick up
      • Date and Signature of patient or their legal representative
    • A form that outlines the copying and mailing costs the patient will be responsible for.
      • See 45 CFR 164.524(c)(4) for what fees can be charged to a patient
  • Forms of identification that are acceptable to prove patient identity.
  • Personnel in which access requests should go through.
    • State a specific person, role, or department that should carry out requests and who has final approval.
  • The expected timeframe that an access request should be completed.
    • This should be determined by the organization but cannot exceed 30 calendar days from the date of the request.
      • The covered entity may extend the time, if needed, by an additional 30 days but the patient must be notified in writing within the initial 30 days of the delay. Only one extension is permitted per access request.
  • Grounds for denial
    • Any grounds for denial should be carefully researched and compared to 45 CFR 164.524(a), 45 CFR 164.524(b), 45 CFR 164.524(d) for legality.
  • It’s important to note that the handling of sensitive information, such as psychotherapy notes, substance abuse, and blood borne diseases may require a different approach.