A March 11 article in the Health Care Compliance Association’s Report on Patient Privacy, “In Wake of 16th OCR Settlement, Time For CEs, BAs to Take Right of Access Seriously,” discussed the Right of Access Initiative that the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has been pursuing since 2019. Rivkin Radler’s Eric Fader was quoted extensively in the article.

The article stresses that it is past time for HIPAA covered entities and business associates to upgrade their policies and procedures and to take patients’ right of access to their medical records very seriously. Eric said that the message OCR is trying to send to providers with the right of access settlements is that “ignorance of your responsibilities under HIPAA is no excuse. Don’t tell us you’re too busy. You must train your workforce to respond timely to patients’ requests. Don’t pretend you didn’t know you had to do this, because we, the American Medical Association and other organizations, and mainstream news sources have all been talking about this for at least the past couple of years. And above all else, if we investigate you and you tell us you’ll do something, you’d better do it.” Eric added that “any provider that hasn’t reviewed its internal policies on providing access to patient records and made sure that their workforce knows how to speak to patients and process these requests really has no good excuse for noncompliance.”

Healthcare organizations have neglected the right of access, which led OCR to focus on it, Eric said. “The audits of HIPAA-covered entities and business associates that OCR has been doing for many years didn’t start out focusing on this problem,” he said. “However, it gradually became apparent, and in the past few years it has been recognized that the country’s health care costs can only be reduced through better coordination of care. It’s impossible to coordinate care among unrelated providers effectively if they don’t have timely access to patients’ records, including those records generated by other providers.”

Although OCR’s 16 publicized settlements have involved different fact situations, Eric pointed out that many followed similar patterns. “It’s usually the same basic facts,” he explained. “Patient requests records. Patient is ignored entirely or receives only a few of the records (perhaps copies of test results that need to be burned onto a CD are what is omitted). Patient complains to OCR. OCR contacts provider and reminds them of their obligation. Provider says they’ll provide the records. OCR closes the case without penalty. Provider still doesn’t provide the records. Patient complains again. OCR reopens the case, investigates, and fines the provider. OCR announces the settlement publicly, trying to maintain a steady drumbeat of settlements to gradually educate the public.”

The COVID-19 pandemic has played a role, Eric noted. “Many of the settlements—including one that a former client of my firm had to pay last year under the Right of Access Initiative—seem to have arisen out of violations that were caused, in part, by COVID-19. Many providers reduced office hours last year or had to furlough some administrative employees, and they simply didn’t have sufficient administrative support to respond to patient requests. My guess is that if a practice has one ‘front desk’ person and one administrative/billing person, and the latter is working from home some or all of the time where he/she may be less efficient, there will be a temptation to prioritize bills and follow-ups with insurance companies, and pay less attention to patients’ own requests for their records.”

“Many healthcare organizations, particularly smaller physician practices, worked with a HIPAA consultant or purchased an off-the-shelf manual of HIPAA policies and procedures many years ago, put the manual on the bookshelf, and since that time have been under the impression that they were in compliance with HIPAA,” Eric observed. “This is obviously not good enough.” He added that properly training and retraining the employer’s workforce no less than once per year is one of the most commonly overlooked HIPAA requirements, along with conducting periodic security risk assessments.

Eric and others quoted in the article agreed that providers should expect more enforcement on the right of access from OCR going forward.