READ TIME: 4 MINUTES
On December 15, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), announced a settlement under the Health Insurance Portability & Accountability Act (HIPAA) Right of Access Rule. This penalty illustrates that the Right of Access Rule remains a focus of HHS and that health plans, health care providers, and other covered entities should confirm their own organization’s timely delivery of documents upon request.
The Right of Access Rule
HIPAA requires that individuals or their personal representatives have timely access to their protected health information for a reasonable cost. This rule generally requires that a health plan or other covered entity provide copies of (or other acceptable access to) requested protected health information within 30 days of receiving the request if that information is considered part of a “designated record set.”
A “designated record set” is generally defined to include protected health information that is maintained, collected, used, or disseminated by a health plan or other covered entity that consists of:
- Medical records and billing records about individuals maintained by or for a covered health care provider
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals
There are two narrow exceptions to the Right of Access Rule for psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or certain administrative actions.
Recent Settlement
In 2022, OCR initiated an investigation of six separate complaints that Optum Medical Care of New Jersey failed to provide timely access to medical records when requested by an adult patient or by the parent of minor patients. OCR determined that patients received the requested records up to 231 days after submitting their requests, which exceeded the permitted response time under the Right of Access Rule. Accordingly, OCR determined this failure was a potential HIPAA violation and entered into a resolution agreement for a $160,000 penalty and implementation of a corrective action plan.
Action Items for Employers
In light of the requirements of the Right of Access Rule and continued complaints received by OCR, health plans, health care providers, and other covered entities should:
- Review current policies and notices to ensure compliance with HIPAA requirements.
- Review and verify that appropriate procedures are in place to ensure that requested documentation can be produced in a timely fashion upon request.
- Verify the current contact information for the party responsible for receiving and responding to protected health information requests.
- Ensure appropriate processes, procedures, and training are in place to ensure all necessary staff understands and is able to comply with the Right of Access Rule.