Blog Headers (6)
  • Compliance

Complying with HIPAA Right of Access Rules

Best practices for compliance to help your medical practice from running afoul of the Right of Access requirements.

Jeanne Varner Powell, JD

04/25/2024

The U.S. HHS Office of Civil Rights (OCR) wants physician practices and other covered entities to know it’s serious about enforcing HIPAA right of access rules. These rules give patients (and their “personal representatives”) the right to timely obtain copies of their medical records. HIPAA defines “personal representative” as a person with legal authority to make healthcare decisions for the patient or to act on behalf of a deceased patient or patient’s estate. 

Since 2019, OCR has investigated and settled 45 enforcement actions involving non-compliance with the right of access rules. The settlements included monetary penalties ranging from $3,500 to $240,000. OCR launched the Right of Access Enforcement Initiative after determining through random compliance audits that most covered entities were not in compliance with the rules.  

  • If OCR conducted a compliance review of your practice this week, could you provide documentation showing full compliance with the right of access? 
     
  • Do you have written policies and procedures that track HIPAA right of access requirements? 
     
  • Do you keep copies of all patient records requests and the date received?
     
  • Do you maintain documentation that shows you followed your written procedures when responding to each request?  

If you can’t answer “yes” with certainty to all these questions, you’re not alone and this article is for you. Read on to learn more about: 

  • Recent OCR settlements;
     
  • Tips for documenting compliance with the right of access rules; and
     
  • Developing a right of access policy and procedure using MICA’s customizable template. 

OCR Right of Access Initiative Settlements 

OCR says its vigorous enforcement of right of access rules is designed to “wake up healthcare providers to their obligations under the law.” OCR’s wake-up call is not limited to large hospital systems. Small and medium practices are well represented in the list of 45 settlements. Besides monetary penalties, the settlements require practices to adhere to corrective action plans that include extensive reporting responsibilities during a monitoring period spanning a year or more. 

Examples of settlements include: 

  • A primary care provider did not timely provide copies of a deceased patient’s records to the patient’s daughter/personal representative of the estate. The practice paid $20,000.
     
  • A two-physician practice specializing in retina care paid $22,500 for not timely providing a patient with records.
     
  • A psychiatrist who denied a patient records because of an outstanding balance paid $3,500.
     
  • A licensed counselor who failed to provide a father with timely access to his children’s records paid $15,000.
     
  • The patient’s daughter requested records. She provided a durable power of attorney to show that she was her mother’s personal representative. The practice paid $55,000 after it failed to provide records based on its mistaken belief that the durable power of attorney was insufficient.
     
  • A 20-physician surgical group paid $65,000 after it failed to provide a patient with records as requested.
     
  • A small ENT practice with six physicians paid $20,000 after it failed to timely provide a patient with records.
     
  • An Arizona hospital system failed to timely respond to requests for patient records and paid $200,000. 

When OCR Comes Knocking: You Need Documentation to Demonstrate Compliance 

When OCR conducted random HIPAA compliance audits in 2016, it learned that many covered entities:  

  • do not have a HIPAA-compliant procedure for responding to patients’ requests for medical records or 
     
  • are not properly training practice staff to follow the procedure.  

Only 1 out of 166 covered entities audited (including 83 physician practices), could demonstrate full compliance with right of access rules. 

Whether OCR is conducting random audits or investigating patient complaints, the agency wants to see a medical practice’s documentation. Generally, OCR requests the following documents at the start of an investigation: 

  • The practice’s Notice of Privacy Practices;
     
  • Forms the practice requires patients/personal representatives to complete when requesting records; 
     
  • The practice’s written policy describing how individuals can communicate a records request;
     
  • Policies and procedures governing how the practice processes and responds to medical records requests from patients or their personal representatives;
     
  • All documentation related to a certain number of access requests the practice granted in the prior year;
     
  • All documentation related to a certain number of access requests the practice denied in the prior year; and
     
  • All documentation related to a certain number of access requests where the practice requested an extension of time to respond. 

Ultimately, OCR can base a finding of non-compliance on: 

  • no documentation;
     
  • documentation that fails to comply with HIPAA requirements; or
     
  • failure to demonstrate that practice employees are complying with HIPAA when processing access requests (OCR determines this by reviewing the practice’s documentation showing how it processed actual access requests during the prior year). 

Tips for Demonstrating Compliance – Notice of Privacy Practices 

Use OCR’s customizable Model Notice of Privacy Practices (NPP) to ensure HIPAA compliance. 

OCR found during audits that some practices used Notices of Privacy Practices (NPP) that incorrectly stated the practice had 60 days (instead of 30 days) to respond to access requests by patients/personal representatives.  

Tips for Demonstrating Compliance – The Request Form  

Consider requiring patients or personal representatives to complete a standard written form when requesting access to their medical records.  

HIPAA says patients and personal representatives may make an oral request for access but allows practices to require a written request. Arizona law requires the request to be in writing. 

Regardless of the state where you practice, MICA suggests using a written form that: 

  • makes it easier to track the status of the request (so you can ensure you process the request within the time allowed by HIPAA);
     
  • should be retained for HIPAA compliance purposes with other documentation related to processing the request; and
     
  • can help manage patient expectations by explaining how the request process works and providing contact information for the responsible staff member who can answer questions. 

When developing request forms or procedures, be sure to include the following items that OCR investigators specifically look for 

  • A clear method or options for the individual to identify/describe the PHI requested;
     
  • Options for the individual to request the PHI in the form and format of their choice (i.e., paper or electronic, type of electronic file)
     
  • Options for the individual to designate a third party to receive the requested information;
     
  • A statement informing the requestor that the practice is required to respond within 30 days (or request a 30-day extension).

Tips for Demonstrating Compliance: Written Policies and Procedures 

HIPAA covered entities must maintain a written right of access policy and procedure that specifies how patients and personal representatives can request and obtain access to medical records. HIPAA policies must be retained for six years from the date of creation or the date last in effect, whichever is later. Practices that don’t have a right of access policy or that want to revise or double check their existing policy can use MICA’s customizable template 

During audits and investigations, OCR will request a copy of your policy to determine if it satisfies HIPAA requirements. To comply with 45 CFR 164.524, policies should, at a minimum, contain the following: 

  • Statement that a patient or representative has the right to inspect or obtain a copy of protected health information (PHI) in a designated record set for as long as the practice maintains the PHI;
     
  • Statement that the right of access does not apply to psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;
     
  • Procedure for permitting requests for access;
     
  • Procedure for determining whether to permit or deny the request, including a procedure for verifying patient identity or confirming personal representative status;
     
  • List of statutorily permitted bases for denying a request (without an opportunity for review);
     
  • List of statutorily permitted bases for denying a request (with an opportunity for review);
     
  • Procedure for reviewing a denial of access;
     
  • Procedure for issuing a timely written denial letter;
     
  • Procedure for timely fulfilling (within 30 days of receipt) requests that are granted; 
     
  • Procedure for requesting one 30-day extension to process an access request;
     
  • Procedure for fulfilling the access request as requested by the individual;
     
  • Procedure for informing patient where to direct a PHI request if the practice does not maintain the PHI (but knows where it is maintained);
     
  • Procedure for compliance with HIPAA documentation requirements; and 
     
  • Procedure for calculating a reasonable, cost-based fee – allowable costs include postage, copying labor and supplies; fee structure must account for varying costs of different forms and formats (electronic or paper). 
To obtain state-specific publications on legal restrictions related to assessing and calculating reasonable, cost-based fees, MICA members can contact the MICA Risk Team at 800-705-0538 or rm_info@mica-insurance.com. Arizona law prohibits charging a fee when a patient or patient’s health care decision maker requests medical records for “the demonstrated purpose of obtaining health care.”  

Tips for Demonstrating Compliance: Documentation of the Request and Response  

Retain all documentation related to right of access requests for six years.  

In case of an audit or investigation, OCR will request and evaluate this information.  

OCR reviews the information to determine, in part, if the medical practice and its employees are complying with HIPAA right of access rules when processing and responding to patient requests. OCR will assess whether: 

  • any fee charged meets the federal requirements for a reasonable, cost-based fee;
     
  • the response was timely (or an extension of 30 days or less was properly documented);
     
  • the practice fulfilled the request in the form and format requested;
     
  • the practice fulfilled part of an individual’s request, even though some access was denied based on statutory exclusions; 
     
  • denials, and any applicable reviews, were made according to the policy and procedure; and
     
  • the practice advised the patient how to obtain review of the denial, if applicable   

OCR also compares this documentation to your written policy and procedure to evaluate whether your employees are properly trained to implement the process. HIPAA requires covered entities to train workforce members on right of access and other HIPAA policies and procedures.  

One recently settled case illustrates why it’s essential to train your employees and then monitor for proper implementation of policies and procedures:  

  • A family medicine practice with two physicians and three advanced practice providers failed to provide records requested by a patient on three separate occasions.
     
  • When the patient complained and OCR investigated, the practice blamed its failure on “a former workforce member’s misunderstanding” of the HIPAA rules. 
     
  • Not surprisingly, that explanation did not help the practice avoid monetary penalties for non-compliance with right of access rules. The practice paid $30,000 as part of the settlement.