Skip to main content
Subscribe
  • Login
  • My Account
  • Logout
  • Register For Free
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Digital Health
    • Transformation
    • ESG
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Blogs
    • AI
    • Deals
    • Layoff Tracker
    • HLTH 2024
    • Sponsored Content: Vital Signs Blog
  • Opinion
    • Letters
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • 40 Under 40
    • Best Places to Work in Healthcare
    • Healthcare Marketing Impact Awards
    • Innovators Awards
    • Diversity Leaders
    • Leading Women
    • Best in Business Awards
    • The 2030 Playbook Conference
    • Innovations in Patient Experience
    • Leading Women Conference & Awards Luncheon
    • Leadership Summit
    • Workforce Summit
    • Best Places to Work Awards Gala
    • Diversity Leaders Gala
    • - Looking Ahead to 2025
    • - Financial Growth
    • - Hospital of the Future
    • - Value Based Care
    • - Looking Ahead to 2026
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Sponsored Video Series - One on One
    • Sponsored Video Series - Checking In with Dan Peres
  • Data & Insights
    • Data & Insights Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Skilled Nursing Facilities
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • Newsletters
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Jobs
    • People on the Move
    • Reprints & Licensing
    • Sponsored Content
MENU
Breadcrumb
  1. Home
  2. Legal
November 25, 2020 10:59 AM

5 lessons learned from HIPAA ‘Right of Access' fines this year

Jessica Kim Cohen
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Modern Healthcare Illustration / Getty Images

    HHS' Office for Civil Rights in 2020 has ramped up enforcement actions against healthcare providers that don't provide patients with access to health records as mandated under HIPAA.

    This year, OCR—the HHS agency that enforces the Health Insurance Portability and Accountability Act—reached 10 settlements with health systems, private practices and other providers that allegedly failed to respond to patient requests for health records in a timely manner, totaling $501,500 in combined fines.

    As part of their respective settlements the 10 organizations didn't admit to wrongdoing but agreed to pay fines and amend policies and procedures.

    While HIPAA is largely known as the 24-year-old federal privacy law that restricts release of medical data, it also requires providers to give patients their requested medical records within 30 days and without a hefty charge. OCR last year announced its "Right of Access Initiative"—making it a priority to "rigorously enforce" the ability of patients to see their records.

    OCR has entered into 12 settlements as part of its Right of Access Initiative; two in late 2019 and 10 this year. In November alone, OCR has announced three such settlements. While HHS has been relaxing some portions of HIPAA amid the COVID-19 public health emergency, that hasn't extended to its access requirements.

    OCR, which did not respond to an interview request at deadline, has previously said its enforcement actions are designed to "send a message" to the healthcare industry about HIPAA compliance.

    Making it easier for patients to get access to their own health records is a goal that's proved bipartisan in the past. Experts don't expect the Biden administration will slow down on enforcement actions.

    "This sleepy provision that used to be the least understood in HIPAA is having its moment in the sun," said Deven McGraw, chief regulatory officer at data-sharing startup Ciitizen and a former deputy director for health information privacy at OCR. "It's a sleeper no more."

    Here are five lessons healthcare executives can learn from this year's settlements.

    1. A newfound focus. Historically, HIPAA fines have focused on data protection issues, but that has led to confusion. Covered entities have sometimes neglected to release a patient's record after assuming that HIPAA is broader than it actually is.

    "For a long time there has been such an emphasis—for better or for worse—on the various restrictions under HIPAA," said Nathan Kottkamp, a partner in law firm Waller's healthcare practice. With the Right of Access settlements, "OCR has really signaled that it's taking this piece of HIPAA very, very seriously," too.

    2. OCR's settlements have run the gamut. There's not one specific type of access issue OCR has focused on enforcing.

    Right of Access settlements have included a health system, a solo practitioner, psychiatric services providers and others for issues ranging from allegedly failing to send the full set of records requested by a patient, to provide a written explanation when denying a request, or to send a copy of records to a requested third party.

    HHS also took action when someone designated as a "personal representative" wasn't able to access their parent or child's health records, according to Angie Burnette, counsel in law firm Alston & Bird's healthcare regulatory group.

    3. Don't get distracted by seemingly low dollar figures. Right of Access fines have ranged from $3,500 at a Virginia psychiatric services provider to $160,000 at Dignity Health's St. Joseph's Hospital and Medical Center in Phoenix, notably lower than the largest HIPAA fines for data breaches to date, which have totaled millions of dollars.

    "While the penalty amounts may not look like a lot, the corrective action plans that each of these healthcare providers have had to execute with OCR are quite serious," McGraw said.

    As part of corrective action plans this year, organizations have agreed to revise patient record policies, which require HHS approval; train staff and vendors on the changes; and regularly send HHS a list of all patients who have requested records from the entity.

    Seven of the corrective action plans include HHS monitoring the organization's HIPAA compliance for two years; three involve one year of monitoring.

    And unlike data breach settlements, which tend to involve breaches of hundreds, thousands or even millions of patients' records, Right of Access settlements have stemmed from complaints filed by a single person.

    OCR officials in September said the agency considers multiple factors when determining a settlement amount, including the nature of the possible HIPAA violation, the extent of possible harm resulting from such a violation, the "financial condition" of the healthcare entity, and the entity's history regarding HIPAA compliance.

    4. If OCR reaches out, don't ignore it. In five of this year's 10 settlements, OCR received a Right of Access complaint, provided the accused entity with compliance feedback, and closed the complaint. However, the agency would later receive a second complaint alleging the entity still hadn't provided the patient with their requested records.

    OCR levied the five fines in question—on New York City not-for-profit Housing Works; Chesapeake, Va., psychiatric services provider Patricia King MD & Associates; Wise Psychiatry in Centennial, Colo.; Riverside (Calif.) Psychiatric Medical Group and an otolaryngologist in Regal Park, N.Y.—after receiving a second complaint from the patient or parent.

    That's a key lesson for hospital executives to take away from this year's HIPAA enforcement actions.

    "If you get a technical assistance letter (from OCR): Follow through. Provide the records in a timely manner," said Dawnmarie Matlock, partner in Alston & Bird's healthcare regulatory group.

    5. Make sure staff understand HIPAA. Training staff on how to respond to patient records requests is resource- and time-intensive undertaking. Staff interacting with patients should understand what HIPAA entails and next steps when a patient requests records. If a hospital contracts with a third-party vendor to manage patient-record requests, executives should ensure that the company's practices are HIPAA compliant and that they understand the vendor's liability as outlined in their contract.

    Organizations also need to establish policies for when staff would deny a patient's request for records as allowed under HIPAA—such as for some psychotherapy notes—and, in those cases, processes to document reasons for the denial and alert the patient about the decision in a timely manner.

    "In order to train on something like (HIPAA Right of Access), you have to have a good system in place," said Valerie Montague, a partner at law firm Nixon Peabody who focuses on health information privacy and security issues. "You want to make sure that you have the workflow in place to evaluate a request."

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    UnitedHealth_Group_AP_fullsize_i_i_i copy_i.png
    UnitedHealth under criminal investigation for Medicare fraud: WSJ
    Tenet-Leapfrog
    Tenet hospitals sue Leapfrog Group over 'pay-to-play' grades
    Most Popular
    1
    'Legendary' Hemsley takes over at UnitedHealth amid rough seas
    2
    Big retail tried to disrupt healthcare—who is making a dent?
    3
    These are the regulations the AHA wants RFK Jr. to scrap
    4
    Downside risk, upside payment highlight new CMS innovation agenda
    5
    Medicaid cuts bill clears key House committee
    Sponsored Content
    Daily Dose Newsletter: Sign up to receive a late afternoon weekday roundup of that day’s breaking news and developments in healthcare.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Help Center
    • Advertise with Us
    • Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2025. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Digital Health
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • ESG
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Blogs
      • AI
      • Deals
      • Layoff Tracker
      • HLTH 2024
      • Sponsored Content: Vital Signs Blog
    • Opinion
      • Letters
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • 40 Under 40
        • Best Places to Work in Healthcare
        • Healthcare Marketing Impact Awards
        • Innovators Awards
        • Diversity Leaders
        • Leading Women
        • Best in Business Awards
      • Conferences
        • The 2030 Playbook Conference
        • Innovations in Patient Experience
        • Leading Women Conference & Awards Luncheon
        • Leadership Summit
        • Workforce Summit
      • Galas
        • Best Places to Work Awards Gala
        • Diversity Leaders Gala
      • Virtual Briefings
        • - Looking Ahead to 2025
        • - Financial Growth
        • - Hospital of the Future
        • - Value Based Care
        • - Looking Ahead to 2026
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Sponsored Video Series - One on One
      • Sponsored Video Series - Checking In with Dan Peres
    • Data & Insights
      • Data & Insights Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Skilled Nursing Facilities
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • Newsletters
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Jobs
      • People on the Move
      • Reprints & Licensing
      • Sponsored Content