Timely Responses Required for Requests under HIPAA’s Right of Access Rule - Bim Group

Timely Responses Required for Requests under HIPAA’s Right of Access Rule

READ TIME: 4 MINUTES

On December 15, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), announced a settlement under the Health Insurance Portability & Accountability Act (HIPAA) Right of Access Rule. This penalty illustrates that the Right of Access Rule remains a focus of HHS and that health plans, health care providers, and other covered entities should confirm their own organization’s timely delivery of documents upon request.

The Right of Access Rule
HIPAA requires that individuals or their personal representatives have timely access to their protected health information for a reasonable cost. This rule generally requires that a health plan or other covered entity provide copies of (or other acceptable access to) requested protected health information within 30 days of receiving the request if that information is considered part of a “designated record set.”

A “designated record set” is generally defined to include protected health information that is maintained, collected, used, or disseminated by a health plan or other covered entity that consists of:

  • Medical records and billing records about individuals maintained by or for a covered health care provider
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals

There are two narrow exceptions to the Right of Access Rule for psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or certain administrative actions.

Recent Settlement

In 2022, OCR initiated an investigation of six separate complaints that Optum Medical Care of New Jersey failed to provide timely access to medical records when requested by an adult patient or by the parent of minor patients. OCR determined that patients received the requested records up to 231 days after submitting their requests, which exceeded the permitted response time under the Right of Access Rule. Accordingly, OCR determined this failure was a potential HIPAA violation and entered into a resolution agreement for a $160,000 penalty and implementation of a corrective action plan.

Action Items for Employers

In light of the requirements of the Right of Access Rule and continued complaints received by OCR, health plans, health care providers, and other covered entities should:

  • Review current policies and notices to ensure compliance with HIPAA requirements.
  • Review and verify that appropriate procedures are in place to ensure that requested documentation can be produced in a timely fashion upon request.
  • Verify the current contact information for the party responsible for receiving and responding to protected health information requests.
  • Ensure appropriate processes, procedures, and training are in place to ensure all necessary staff understands and is able to comply with the Right of Access Rule.

Recent Insights

January 10, 2025
Affordable Care Act (PPACA)

ACA Reporting Changes for 2025

On December 23, 2024, President Biden signed into law the Paperwork Burden Reduction Act (PBRA) alleviating some burdens associated with the annual ACA reporting.  Effective for tax years beyond 2023, employers are no longer required to automatically distribute the Forms 1095-B/Cs to employees unless requested.  The Form 1095-B/Cs must still be prepared and electronically filed […]
Read more
January 7, 2025
News

Webinar: Ensuring Your Health Plan is Ready for a Department of Labor Audit

Tuesday, January 14, 2025 1 – 2PM CST Register Now Registration Code:UBA410EW Attend this month’s webinar to learn what triggers a DOL audit and how to prepare. Key takeaways:  Gain insight into the DOL’s enforcement priorities that can trigger an audit, especially regarding compliance with the ACA, Mental Health Parity and Addiction Equity Act, and […]
Read more
January 7, 2025
News

Wellness Programs and Smokers’ Penalties under Scrutiny

READ TIME: 5 MINUTES A recent lawsuit involving Macy’s Inc. and the U.S. Department of Labor (DOL) is bringing attention to the way companies structure their wellness programs—particularly those that impose penalties on employees who smoke. This case highlights the potential risks for employers who charge higher health premiums to smokers and raises questions about […]
Read more
January 7, 2025
News

December 2024 Compliance Recap

READ TIME: 7 MINUTES President Biden stepped away from proposed changes to the birth control opt-out for moral objections. The pre-deductible status of telehealth in HSA plans expired, and the CAA 2024 Gag Clause Attestation submission took effect. Biden Administration Withdraws Proposed Birth Control Benefits regulations The Biden Administration has suspended its efforts to limit […]
Read more