A patient’s uphill battle to get a copy of her medical records has led to another resolution agreement between a covered entity (CE) and the HHS Office for Civil Rights (OCR), which says the case is a first under its new Right of Access Initiative.
Bayfront Health St. Petersburg in Florida paid $85,000 to OCR and adopted a corrective action plan to settle a potential violation of HIPAA’s right of access provision, which requires CEs to give patients their records within 30 days. OCR alleged that Bayfront, a Level II trauma and tertiary care center, didn’t provide a mother timely access to records about her unborn child. The mom complained to OCR, which had to shake the records loose from Bayfront nine months after she made her first request.
A patient’s right to access his or her records is a cornerstone of the HIPAA Privacy Rule, and OCR imposed its first civil monetary penalty ever in a case about violating it. In 2011, Cignet Health of Prince George’s County, Maryland, paid $4.3 million for violating 41 patients’ rights by denying their access to medical records. They separately requested them in vain and individually filed complaints with OCR, which investigated. “During the investigations, Cignet refused to respond to OCR’s repeated demands to produce the records,” OCR said. “On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.”
The Cignet and Bayfront cases aside, CEs generally seem to have the patient-access requirement under control, some experts say. “I don’t think there’s widespread noncompliance with this requirement,” says former OCR acting deputy director Iliana Peters, who was also senior advisor for HIPAA compliance and enforcement. But there are “areas of potential noncompliance” and some confusion about the right of access, particularly with respect to the judicial and administrative process, says Peters, with Polsinelli in Washington, D.C. She predicts clarity will come through enforcement. There’s also controversy around charges, which is at the heart of a lawsuit against HHS.
In the Bayfront case, OCR says a patient complained that she asked the hospital for her fetal heart monitor records starting in October 2017 and had not received them by the time she complained to OCR in August 2018. When OCR investigated, Bayfront said when the patient first asked for the records, they couldn’t be located. Her counsel then requested the records twice in 2018, and Bayfront first gave counsel an incomplete set and then a complete set. “Complainant’s counsel shared the records with her and, as a result of OCR’s investigation, on February 7, 2019, Bayfront provided Complainant with the fetal heart monitor records directly,” the resolution agreement states. Bayfront didn’t admit liability, and a spokesperson didn’t respond to a request for comment. HHS did not elaborate on its Right of Access Initiative.
There’s Some Confusion Around Processes
Under the HIPAA Privacy Rule, CEs are required to give people access to their protected health information (PHI) in one or more “designated record sets” upon request ( 45 C.F.R. § 164.524 ). CEs have 30 days to produce the records, although OCR encourages them to respond as fast as possible. In terms of charges, CEs and the business associates operating on their behalf may charge patients a reasonable, cost-based fee for a copy of their PHI. According to May 2016 OCR guidance, Individuals’ Right under HIPAA To Access their Health Information, the fee may only include the cost of supplies, postage and labor. The guidance described the methods that may be used to calculate the fee. They are actual labor costs (e.g., for copying) and applicable supplies; average costs, “as long as the types of labor costs included are the ones which the Privacy Rule permits to be included in a fee”; and a flat fee that doesn’t exceed $6.50 per request.
There may be some confusion around the different processes that hospitals and other CEs have for releasing medical records, Peters tells RMC. When patients request their own records, in person, by email or through a portal, it should be straightforward. She and other privacy experts say they haven’t seen CEs run afoul of this too often. There’s a right of patient access, and it’s unambiguous, Peters explains. But if an attorney requests the records with the patient’s authorization, HIPAA permits the disclosure but doesn’t require it. “Those are two different processes that people often get mixed up,” she says.
Beyond that are litigation matters. “There are several different ways that people deal with litigation that have different requirements,” Peters says. For example, a court order requires disclosure, but for subpoenas, “it’s not a slam dunk,” she notes. “There are all these different issues that surround medical record production that complicate the access to medical records.”
The presence of a business records affidavit sometimes makes the difference in whether CEs are required to disclose PHI and how fast they have to do it, says attorney Richelle Marting, with the Forbes Law Group in Overland Park, Kansas. When attorneys request medical records with a business records affidavit, they are using it for litigation, she says. “We typically view that as the attorney’s request to enable the production of records into evidence,” which falls under the HIPAA provision on authorizations ( 45 C.F.R. § 164.508 ), not the patient right of access, says Marting, who is also a part-time hospital privacy officer. “That’s the informal consensus. Nobody has clear guidance whether that’s right or wrong.”
A wrinkle with patient access is the tension between privacy and security compliance when patients ask providers to send their medical records to an app that’s not secure versus a reputable, secure app, Peters says. “The provider has to manage whether to send very sensitive data in an unsecure way to comply with the patient request,” she explains. This may come up with patients who have chronic conditions and “want to be empowered in a good way to use their medical information and interact with the provider, but they could be walking into a security issue. It’s on the provider to work with patients, but providers don’t necessarily have the bandwidth to help patients get medical records to a strange new app they want to use.”
Peters also clarified that despite OCR making a distinction in the announcement about the Bayfront resolution agreement between the mother’s medical records and the unborn child’s medical records, patients are entitled to access the medical information in their own file. “It doesn’t matter whether it implicates a third person,” she says. “I’m worried people might think there’s a distinction. If it’s in my medical records, it is my information, and I get a copy of it.” It’s important for CEs to understand that as genetic testing becomes more routine.
Warning Signs About Patient Access
Fees for records are another fraught area in patient access. They’re at the heart of a lawsuit filed against HHS by CIOX Health, a medical records release company, over how much CEs and business associates are allowed to charge for copies of PHI under HIPAA (“HIPAA Court Battle Heats Up Over Fees for Copying PHI; BA Challenged OCR Guidance,” RMC 27, no. 19).
When a ruling comes, it could give CEs clarification on when they can charge more for releasing medical records than the limited cost-based fees in the 2016 OCR guidance. CIOX also wants the court to stop enforcement of OCR’s guidance on the grounds that it’s essentially a regulation that hasn’t gone through the proper rulemaking process. But whether there will be a ruling is open to question: HHS has filed a motion with the U.S. District Court for the District of Columbia to dismiss the lawsuit.
Complying with patient requests for records hasn’t been a problem, says Barbara Duncan, HIPAA privacy officer at Stormont Vail Health in Topeka, Kansas. Occasionally a patient or attorney complains they were never received, she says. If that happens, the health system re-sends the records, this time by certified mail. Many patients request and retrieve their own PHI through the patient portal.
There are indications of trouble with patient access. Early results of the “Patient Record Scorecard,” a new initiative to rate how well CEs comply with the right of access to medical records, are not rosy. Of 51 organizations that received a records request, just nine rated five stars as part of the project launched by Ciitizen Corp., a health care records start-up firm initially focused on assisting patients with cancer. Among the aspects measured were how quickly records were sent and whether patients were able to get them in the “form and format” of their choosing, as required under HIPAA, according to a story in RMC’s sister publication, Report on Patient Privacy.
Contact Peters at ipeters@polsinelli.com, Marting at rmarting@forbeslawgroup.com and Duncan at bduncan@stormontvail.org. Read the resolution agreement and corrective action at http://bit.ly/2mfnCWp. Read the Report on Patient Privacy story at http://bit.ly/2kKJYhP.