The Office for Civil Rights (OCR) at HHS announced the resolution of eleven investigations in its HIPAA Right of Access Initiative, bringing the total number of these enforcement actions to 38 since the initiative began. Providers found to be in violation of the HIPAA Right of Access rule were given fines ranging from $3,500 to $240,000!
The Right of Access rule “generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.”
After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner.
The OCR has treated the HIPAA Right of Access Initiative as an enforcement priority since 2019, although many “non-essential” enforcement actions have slowed or paused due to the COVID-19 pandemic. While enforcement may be slow in the near future, as the country re-opens enforcement actions will undoubtedly increase.
Although you probably have other issues on your mind, now is a good time to remind your staff about HIPAA Right of Access. Do you really to pay a huge fine because you failed to provide a patient’s medical records? A few minutes of effort can save you from being the target of a Federal investigation. Don’t let your practice be featured in the next press release from HHS!