Timely Responses Required for Requests under HIPAA’s Right of Access Rule - Bim Group

Timely Responses Required for Requests under HIPAA’s Right of Access Rule


On December 15, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), announced a settlement under the Health Insurance Portability & Accountability Act (HIPAA) Right of Access Rule. This penalty illustrates that the Right of Access Rule remains a focus of HHS and that health plans, health care providers, and other covered entities should confirm their own organization’s timely delivery of documents upon request.

The Right of Access Rule
HIPAA requires that individuals or their personal representatives have timely access to their protected health information for a reasonable cost. This rule generally requires that a health plan or other covered entity provide copies of (or other acceptable access to) requested protected health information within 30 days of receiving the request if that information is considered part of a “designated record set.”

A “designated record set” is generally defined to include protected health information that is maintained, collected, used, or disseminated by a health plan or other covered entity that consists of:

  • Medical records and billing records about individuals maintained by or for a covered health care provider
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals

There are two narrow exceptions to the Right of Access Rule for psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or certain administrative actions.

Recent Settlement

In 2022, OCR initiated an investigation of six separate complaints that Optum Medical Care of New Jersey failed to provide timely access to medical records when requested by an adult patient or by the parent of minor patients. OCR determined that patients received the requested records up to 231 days after submitting their requests, which exceeded the permitted response time under the Right of Access Rule. Accordingly, OCR determined this failure was a potential HIPAA violation and entered into a resolution agreement for a $160,000 penalty and implementation of a corrective action plan.

Action Items for Employers

In light of the requirements of the Right of Access Rule and continued complaints received by OCR, health plans, health care providers, and other covered entities should:

  • Review current policies and notices to ensure compliance with HIPAA requirements.
  • Review and verify that appropriate procedures are in place to ensure that requested documentation can be produced in a timely fashion upon request.
  • Verify the current contact information for the party responsible for receiving and responding to protected health information requests.
  • Ensure appropriate processes, procedures, and training are in place to ensure all necessary staff understands and is able to comply with the Right of Access Rule.

Recent Insights

May 20, 2024

Webinar: Mastering COBRA Every Day and in M&A

Tuesday, June 11, 2024 1 – 2PM CST Register Now Registration Code:UBA410EW   Attend this month’s webinar to learn how to administer COBRA effectively. Gain insights into: The determining factors for employer and employee COBRA eligibility The interaction between COBRA and leaves of absence Health plans and tax-favored accounts that can be used with COBRA […]
Read more
May 20, 2024

HHS Finalizes Section 1557 Nondiscrimination Regulations under the Affordable Care Act

READ TIME: 7 MINUTES The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) together with the Centers for Medicare and Medicaid Services (CMS) released regulations under Section 1557 of the Affordable Care Act (the “Final Rule”) on April 26, 2024. These final regulations follow almost two years after […]
Read more
May 20, 2024

IRS Releases 2025 Limits for HDHPs and HSAs

READ TIME: 4 MINUTES The IRS recently issued Revenue Procedure 2024-25 to announce the 2025 inflation-adjusted amounts that apply to health savings accounts (HSAs), excepted benefit health reimbursement arrangements (EBHRAs), and high-deductible health plans (HDHPs). The newly announced figures result in increases in the applicable limits for 2025, including the maximum contribution limit for an […]
Read more
May 20, 2024

FAQs about the Patient Centered Outcomes Research Institute (PCORI) Fee

READ TIME: 10 MINUTES The Patient-Centered Outcomes Research Institute (PCORI) fee initially applied from 2012 to 2019. However, in December 2019, the Further Consolidated Appropriations Act, 2020 extended the fee to 2029. The PCORI fee applies to all plans that provide medical coverage to employees. Medical coverage includes preferred provider (PPO) plans, health maintenance organization […]
Read more