Yunge Li
Associate Editor
Loyola University Chicago School of Law, JD 2021
On September 9th, 2019, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) issued its first enforcement action and settlement under its Right of Access Initiative. This came as a reaction to Bayfront Health St. Petersburg (Bayfront) paying $85,000 in fines to OCR. Bayfront adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule after they failed to provide a mother timely access to the records about her unborn child. In response, the OCR Director, Roger Severino, stated “[w]e aim to hold the health care industry accountable for ignoring peoples’ right to access their medical record and those of their kids.”
The Bayfront settlement
According to the resolution agreement released by the OCR, a complainant submitted a written request for her fetal heart rate monitor records from Bayfront in October of 2017. She received a response from Bayfront saying the records were not found. Upon receiving this, her counsel then requested the records again in both January and February of 2018, only to receive an incomplete set of records in March. In August, she filed a complaint to OCR alleging Bayfront’s violation of her right of access to the medical record. Bayfront finally disclosed the full record to the complainant’s counsel more than nine months after the initial request.
The OCR’s Right of Access Initiative
The OCR’s Right of Access Initiative was announced earlier this year, in hopes of “vigorously enforcing” a patient’s right to receive copies of his or her medical records in an efficient and cost-effective manner. The right of access is a fundamental patient right granted under the HIPAA Privacy Rules, and this initiative helps further not only that fundamental right but also allows patients to be more involved in their own care.
The individual’s right of access provision under HIPAA requires covered entities to provide medical records within 30 days of the request, and only allows providers to charge a reasonable cost-based fee. This right also extends to parents seeking medical information for their minor children. In a statement addressing the root cause of the issue, Bayfront hospital stated, “[c]lerical errors unfortunately caused a significant delay in fulfilling the entire request of records.” Following a one-year monitoring period with the corrective action plan, Bayfront is required to review its policies and procedures, and employee training. As Bayfront hospital described, “[w]orking with our release of information vendor, staff have been re-educated ton processes, including escalation procedures when requested documents cannot be located.”
Inadequate compliance
Over the past several years, the OCR has taken steps to ensure compliance with the right of access. Additionally, the OCR has expressed concerns that health care providers are failing to provide timely patient access and are overcharging patients for copies of their records. Such concern is not unfounded.
A recent study conducted by medRxiv, a health manuscript archiving company, has shown inadequate compliance healthcare providers with the HIPAA right of access provision. In this study, researchers sent medical record requests, asking for access to patient data, to 51 healthcare providers. The researchers then ranked each healthcare provider from a scale of 1 to 5, with five being the best experience of obtaining said records. The results of this study indicated that more than half of the providers assessed were either (1) not fully compliant or (2) it took several attempts and escalations before the requests were satisfied in a fully compliant manner. The main area of noncompliance was found to be the failure to send medical records electronically, even when it was specifically requested by the patient.
What is next?
OCR used Bayfront to set a precedent regarding the right of access enforcement. As healthcare technology continues to evolve and patient information takes on new forms in the digital era, the HHS has reminded the community that patient right of access rules are still applicable to all formats of health information. Covered health care providers should be diligent in their compliance plans and review the policies and procedures set forth to help improve the effectiveness of their compliance programs.