Waller
  October 12, 2020 - Tennessee

OCRs 'Right of Access' Initiative Leads to Nine Settlements
  by Beth Pitman, Nathan Kottkamp

Although HIPAA is probably best known for its privacy and security provisions, it also affords certain essential rights to ensure that individuals have access to their medical records. Since 2019, the HHS Office for Civil Rights (OCR) has stated its intent to increase enforcement of this specific right in response to a directive from HHS. There has been a gradual increase in this targeted enforcement activity until recently. Enforcement of these rights has now driven nine settlement agreements in the course of a month. These are in addition to three breach-related settlement agreements in the same period. Obviously, the OCR has ramped up its enforcement efforts recently, and all Covered Entities and Business Associates should beware.

The first of the settlements involved St. Joseph’s Hospital and Medical Center (“St. Joseph’s”), which entered a corrective action plan and paid $160,000 to settle potential violations of HIPAA’s right to access provision. In this case, a mother requested a copy of her son’s medical records. Despite an initial production of some of the records, St. Joseph’s only produced the complete records 22 months later.

Another settlement involved NY Spine Medicine (“NY Spine”), which also entered a corrective action plan and paid $100,000 to settle a potential violation of HIPAA’s right to access provision. Similar to the St. Joseph’s situation, a patient requested a copy of her medical records, but NY Spine initially provided her with only a portion of her record. Significantly, NY Spine did not produce the remaining records—including the portions of her record that the patient specifically requested in the first place—until over a year later.

This flurry of HIPAA enforcement action confirms that the OCR is as busy as ever in its efforts to ensure compliance. All Covered Entities and Business Associates are encouraged specifically to review their access policies—and ensure that staff are implementing them appropriately. Additionally, as more and more care is provided electronically, entities need to revisit their Security Rule Risk assessments to ensure that they reflect the current state of operations.

Patient rights to access are not limited to HIPAA. In May, the HHS Office of National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid (CMS) released final rules and regulations related to the 21stCentury Cures Act (Cures Act) Interoperability and Information Blocking Rules and the Office of Inspector General (OIG) released its proposed enforcement Rule. Under these Rules, a patient’s request for records (as well as others) must be provided in compliance with the Information Blocking Rule requirements or the Health IT developer and healthcare providers risk enforcement. Under the proposed enforcement rule, Health IT developers regulated by the Cures Act are subject to civil money penalties of up to $1 million per violation, and the OIG will refer healthcare providers to “the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking.”

Click here to read more.