HIPAA right of access: In what looks like a new trend, another costly settlement
Eight may not be enough to get the message across, as the U.S. Health and Human Services has now reached that number of settlements with providers nationwide in the year-plus since it began enforcing HIPAA's right of access provision.
WHY IT MATTERS
HHS Office for Civil Rights announced this week that Dignity Health – doing business as St. Joseph's Hospital and Medical Center – will pay $160,000 to settle a potential violation of that provision of the HIPAA Privacy Rule.
On April 25, 2018, OCR received a complaint about Phoenix-based SJHMC. It was from a mother who alleged that, starting in January of that year, she made multiple requests to the health systems for a copy of her son's medical records, since she was his personal representative.
While SJHMC provided some of the requested health records, it didn't give her all of them, despite repeated requests over the next four months.
As a result of OCR's investigation, SJHMC did finally supply the mother with all of the medical records she'd requested, December 19, 2019 – nearly two years after her first request.
To settle the potential HIPAA violation, the health system will also undertake a corrective action plan, including two years of monitoring, in addition to the money it paid.
THE LARGER TREND
OCR made data accessibility "an enforcement priority in 2019 to support individuals' right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule," the agency says.
The ramp up reflects the fact that, despite the oft-heard buzzwords about patient experience and consumer empowerment across healthcare, for too many patients the simple act of securing a copy of their own medical chart, rightfully theirs under the law, faces far too many impediments.
As Deven McGraw, former Deputy Director for Health Information Privacy at OCR, explained in 2019, the barriers between patients and their right to timely access include records not sent within the required 30-day period, or not shared in the digital format requested.
Some health systems refuse to send images, or others don't accept requests by email or fax (as required by HIPAA). Many charge patients inflated fees for their own records, much higher than HIPAA's allowance for a "reasonable, cost-based" fee.
Sometimes, as in the latter example, the hindrances are deliberate. In others, they're based on a provider's misunderstanding of what the law stipulates.
But the bottom line, said McGraw, is that "patients need their records, and it shouldn't be hard to get them."
So if OCR had dragged its feet on enforcing right of access in years past, it appears to be making up for lost time.
Since levying its first settlement on such a case just over a year ago, the agency has set its sights on an array of allegedly non-compliant healthcare providers. Just this past month, it collected settlements – as little as $3500, as much as $70,000 – from a half-dozen other providers nationwide.
ON THE RECORD
"It shouldn't take a federal investigation to secure access to patient medical records, but too often that's what it takes when health care providers don't take their HIPAA obligations seriously," said OCR Director Roger Severino in a statement. "OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients."