Points to Consider When Beefing Up Procedures for Access Requests

By Jane Anderson

HIPAA privacy experts recommend a series of steps for health care entities to take to beef up their medical records access programs—and potentially steer clear of HHS Office for Civil Rights (OCR) penalties in the process.

  • Make access a priority. “As the recent sixteenth HIPAA noncompliance settlement for not complying with the right to access requirement demonstrates, organizations must take this activity much more seriously, put aside some time to think through the actions necessary to fulfill such requests, and create procedures for their organization to follow as soon as they receive such requests,” said Rebecca Herold, president of SIMBUS360 and CEO of The Privacy Professor.

    “The number one situation I’ve seen over the years is that CEs [covered entities] don’t prepare procedures for responding to a right of access,” Herold explained. “They underestimate the activities necessary to respond to such requests and simply assign the responsibility to an individual, team or role, and then it stops there after making that assignment. Those individuals/teams/roles then do nothing. Most think, ‘Sure; if a request comes in, I’ll pull the file and send them a copy.’ Then when the requests start coming in, they realize that, ‘Oops, we should have thought this through better.’ They soon find that they don’t know where all the requested information is located throughout the organization, within their business associates and/or that the information was not retained, so then they cannot provide the information going back six years as required, or they simply do not know where the information is located and don’t know where to start looking.”

    This dynamic takes the situation from bad to worse, Herold said. “They will then often simply not respond to the request, with the expectation that the individual asking for the information will simply forget about it,” but then that violates more of the HIPAA requirement by ignoring the requestor.

    The bottom line: determine in advance how to fulfill requests and put the procedures in place to do so.

  • Designate a privacy officer who is responsible for implementing these procedures. This position is key to the right of access, said attorney Samantha Gross, associate with Saul Ewing Arnstein & Lehr LLP in Philadelphia. “The privacy officer should ensure compliance with the policies and procedures, including those related to the right of access. This means updating the policies as necessary and training workforce members and relevant business associates on those policies and procedures,” Gross said. “The privacy officer or another designated individual should also review the provider’s business associate agreements to ensure business associate agreements are in place and business associates are in compliance with the entity’s policies and procedures. Several recent OCR settlements involved business associates.”

  • Emphasize staff training on privacy and access. “Many health care organizations, particularly smaller physician practices, worked with a HIPAA consultant or purchased an off-the-shelf manual of HIPAA policies and procedures many years ago, put the manual on the bookshelf, and since that time have been under the impression that they were in compliance with HIPAA,” said attorney Eric Fader, a partner with Rivkin Radler in New York City. “This is obviously not good enough,” he said. According to Fader, the two most commonly overlooked requirements in HIPAA are (1) conducting periodic security risk assessments (not relevant to access but most important nonetheless) and (2) properly training and retraining the workforce no less than once per year. “OCR has been auditing providers for many years,” and the Centers for Medicare & Medicaid Services and OCR have been focusing on patients’ right of access since 2019, Fader said.

  • Identify and document all locations where health information is located. This can pay security benefits, along with helping the organization comply with access requirements, Herold said. “When they do this, they will almost always discover health data stored in locations that they had not known about, and will discover old health data that they should have disposed of decades ago, along with discovering security problems for where the information (in all forms and on all types of media) is stored,” she explained, and “not only are they complying with the HIPAA privacy rule right of access requirements, they are also fulfilling security rule risk management requirements to identify risks. And then they continue to comply with more security rule requirements by implementing safeguards appropriate for their own organization to safeguard those newly discovered storage areas—resulting in better security and reduced risk for privacy breaches.”

  • Make sure you’re responding in a timely fashion. Timing is key, Gross explained. “Many of the settlements demonstrate that health care providers are failing to comply with the timing required—specifically that covered entities must respond to a right of access request no later than 30 days after receipt,” according to 45 C.F.R. § 164.524(2), Gross explained. “Covered entities must also provide access to protected health information in the form and format requested by the individual. Many of the settlements involved lengthy...response times after the initial request for records. If a provider is unable to respond or is uncertain about how to respond to a request, the provider should seek assistance immediately given the 30-day window in which it must respond.”

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings