February 18, 2021
Under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy of Individually Identifiable Health Information (Privacy Rule), covered entities (payers, insurers, hospitals, physicians, and other healthcare providers) must act on an individual’s request for access to their health records within 30 days. However, in December of 2020, the United States Department of Health and Human Services (HHS) issued a notice of proposed changes to modify multiple standards within the Privacy Rule, including shortening covered entities’ required response time to fulfilling a patient’s request for copies of their Protected Health Information (PHI) to no later than 15 calendar days.
Although this proposal aims to increase permissible disclosures of PHI and improve patients’ care coordination and case management, these changes may drastically change healthcare entities’ current health information management procedures and workflow. Those that do not adapt quickly (entities will have 180 days to make necessary modifications) to comply with the potential Privacy Rule changes could be at increased risk of HIPAA fines and settlements.
In April 2019, HIPAA launched an initiative to enforce the Privacy Rule, focusing on patients’ rights to timely access to their medical records. The initiative resulted in over 13 fines and HIPAA settlements to various healthcare organizations, with penalties ranging from $3,000 to the most recent settlement of $200,000 against Arizona-based Banner Health. Banner was cited after finding two patients’ record requests that took over four months to complete. Federal regulators documented that the healthcare facility fulfilled the patients’ requests for protected health information; however, the time it took to provide the data was greater than that permitted by the Privacy Rule.
The Office of Civil Rights (OCR) also conducted an audit of covered entities and business associates for compliance with HIPAA privacy and security rules and compiled their findings into a December 2020 report. Results of the audit found that 89% of covered entities failed to ensure individual right of access. Some covered entities did not maintain adequate records of how and when they responded to a request, appearing to breach the 30-day response requirement and failing to provide the patient with a written notice informing them of their rights to request a review of any denial decision.
To stay compliant with the Privacy Rule changes that may be forthcoming, healthcare organizations may want to consider preparing by evaluating the following practices:
Patient access to health records is expected to continue to be a top enforcement priority of the HHS under the Biden administration. With the 60-day window of comments on the proposed regulation coming to a close, final regulatory changes will likely be announced soon. See the original Notice of Proposed Rulemaking for more information. If you have more questions on how to prepare your healthcare organization for these potential changes, contact Parker, Smith & Feek.
Danielle Donovan is Parker, Smith & Feek’s Clinical Risk Manager, dedicated to helping improve our healthcare clients’ operations and mitigate risks. She publishes regular articles to support this effort and provide unbiased advice on issues facing all types of healthcare organizations. Stay tuned for her next installment, and contact Parker, Smith & Feek’s Healthcare Practice Group if you would like to learn more.
The views and opinions expressed within are those of the author(s) and do not necessarily reflect the official policy or position of Parker, Smith & Feek. While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it.