Lee SlatonBy Lee Slaton, Vice President of Healthcare; Smart Training

Right of Access (ROA): HIPAA’s New Focus

How quickly does your practice respond to your patients’ request for records? If your office is lax in its responses, you’re putting it at risk for severe consequences.

This year, a settlement was reached with a provider to resolve potential violations of Right of Access—delineated in the HIPAA Privacy Rule—according to The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Under the terms, the Ridgewood, NJ-based healthcare provider will pay a $30,000 penalty and adopt a corrective action plan requiring policies and implementation of procedures related to access to protected health information (PHI). OCR will also monitor the provider for compliance for two years.

I wish I could say this was an anomaly, but I’d be telling a big ole fib. This is the sixth HIPAA penalty imposed since January—and the fifth addressing a HIPAA Right-of-Access violation. It’s also the 18th financial penalty imposed by OCR under HIPAA’s Right of Access enforcement initiative launched in late 2019.

Are you starting to see a trend?

Let’s look at what transpired in the New Jersey case.

OCR launched the investigation into the provider after receiving a complaint on Sept. 7, 2019 from a patient. The patient had requested—but was not provided—a copy of their records held by the practice within the maximum time allowed for acting on patient requests for their records (30 days) by the HIPAA Privacy Rule.

OCR intervened; yet during the course of the investigation, the provider still did not provide the patient with the requested records. Investigators determined that the delay in providing the records, which exceeded 30 days, was in violation of the HIPAA Right of Access, as detailed in 45 C.F.R. §164.524.

Maybe you’re shaking your head over the practice’s delay, even after the investigation started; but I know of at least one dental practice in Texas right now facing the same problem the NJ practice did.

When a Patient Requests a Copy of Their Records

As you might have guessed, this issue isn’t going away soon. If a patient requests a copy of their records, don’t sit on the request. Here are five takeaways for you regarding responding to a record request:

  • You have 30 days to respond to the patient request.
  • You should ensure the person requesting the records is entitled to receive them. Make sure the requester is either the patient or someone the patient gave you written authorization with whom to share their records.
  • The request should come in writing (email suffices) and be forwarded to the office manager or practice owner so it receives the priority it demands.
  • You must provide the records in the form requested. In other words, if the patient asks for a paper copy, that’s what you provide. If they want a pdf emailed to them, that’s what you do. Normally, if you aren’t providing it in electronic form, you can charge a reasonable amount for copying, etc.
  • You can’t ignore the request because the patient owes you money.
Do you have questions about how your practice handles PHI requests? Smart Training’s team includes one of the less than 100 Certified HIPAA Professionals (CHP) in the country (and the only CHP in the country married to a physician, giving him an “in-the-trenches” perspective).
Learn more about Smart Training.