Office of Civil Rights Warns Patient Right of Access to Medical Records Can’t be Denied

In a recent HIPAA Journal publication, it was stated that the Health and Human Services (HHS) – Office for Civil Rights (OCR), has issued a warning to healthcare providers, focusing on the importance of compliance with the “HIPAA Right of Access,” that is also a part of the 21st Century Cures Act.

They announced that the total number of financial penalties imposed under the HIPAA Right of Access enforcement initiative up to 38. In their statement, they announced that more than 11 financial penalties for HIPAA-covered entities, such as hospitals, and physician practices, failed to provide patients, when requested, timely access to their medical records.

Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524

The HIPAA Right of Access gives people the right to inspect their protected health information that is held by a HIPAA-covered entity, check the information for errors, and request that any errors are corrected. People can also request a copy of their protected health information (PHI) from healthcare providers and health plans.

When such a request is made, the requested information must be provided in full within 30 days of the request being received. In very limited circumstances, an extension of 30 days is allowed. Requests can be submitted by patients or their nominated representatives, and parents and legal guardians of minors are permitted to obtain a copy of their minor’s records. Any individual requesting a copy of their records can only be charged a reasonable, cost-based fee for obtaining a copy of their records. The records should be provided in the format requested by the patient, provided the HIPAA-covered entity has the technical capability to provide records in that format.

Further, if the patient wants their records in a phone app, or digital access that is HIPAA protected, and the physician or facility that this information is being requested from, has that capability, then this is how it must be delivered. If the HIPAA-covered entity does not have that particular platform of delivery, they can ask the HHS-OCR to assist in implementing that electronic capability. There is also an option to direct the patient to their EMR, password protected patient portal, as long as the patient is given easily accessible instructions for use, and agrees to that form of delivery.

OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019 in response to reports of widespread noncompliance with this important HIPAA right. “It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino.  “Healthcare organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”

Likely Interference or Information Blocking

It would likely be considered an interference for purposes of information blocking if a health care provider established an organizational policy that, for example, imposed delays on the release of lab results for any period of time in order to allow an ordering clinician to review the results or in order to personally inform the patient of the results before a patient can electronically access such results (see also 85 FR 25842 specifying that such a practice does not qualify for the “Preventing Harm” Exception).

To further illustrate, it also would likely be considered an interference:

  • where a delay in providing access, exchange, or use occurs after a patient logs in to a patient portal to access EHI that a health care provider has (including, for example, lab results) and such EHI is not available—for any period of time—through the portal.
  • where a delay occurs in providing a patient’s EHI (electronic health information) via an API (application programming interface or healthcare app) to an app that the patient has authorized to receive their EHI.

HIPAA Right of Access Penalties

Per the HIPAA Journal, the latest penalties were all imposed for the failure to provide timely access to an individual’s medical records, rather than for charging unreasonable fees for exercising the Right of Access. All but one of these cases was settled with OCR, with the covered entities also agreeing to a corrective action plan to address the non-compliance and prevent further violations.

One HIPAA-covered entity refused to cooperate with OCR’s requests, resulting in a civil monetary penalty. ACPM Podiatry had received a request from a former patient for a copy of his medical records. OCR was notified on April 8, 2019, that ACPM had refused to provide those records. OCR provided technical assistance to ACPM on April 18, 2019, confirming that the records must be provided under HIPAA. A second complaint was then filed with OCR a month later when the records had still not been provided.

What is of note, is that many HIPAA-covered entities believe that if the patient has an outstanding balance with that entity or physician practice that they can hold the patient’s records based on that issue. That is an inaccurate assumption.

OCR’s investigation into ACPM Podiatry revealed the records had been withheld as the complainant’s insurance company had not paid the bill, but the complainant said the records were required in order to appeal the unfavorable decision, and that the records were necessary to file that appeal. While there was contact between OCR and ACPM Podiatry, ACPM failed to respond to OCR’s data access requests, OCR’s notice of proposed determination of a financial penalty, nor the Letter of Opportunity to provide evidence of mitigating factors, resulting in a civil monetary penalty being imposed.

You cannot ignore these patient requests or the requests from the OCR. The release of a patient’s ePHI is not conditional on whether or not their bill is paid in full. The below table reflects some of the recent penalties enforced by OCR for information blocking, and they do publish these entities and the penalties.

Source: HIPAA Journal July 2022

Programming note: Listen live today when Terry Fletcher reports this developing story during Talk Ten Tuesdays, 10 Eastern.


Print Friendly, PDF & Email


Terry Fletcher, BS, CPC, CCC, CEMC, CCS, CCS-P, CMC, CMSCS, CMCS, ACS-CA, SCP-CA, QMGC, QMCRC, is a healthcare coding consultant, educator, and auditor with more than 30 years of experience. Terry is a past member of the national advisory board for AAPC, past chair of the AAPCCA, and an AAPC national and regional conference educator. Terry is the author of several coding and reimbursement publications, as well as a practice auditor for multiple specialty practices around the country. Her coding and reimbursement specialties include cardiology, peripheral cardiology, gastroenterology, E&M auditing, orthopedics, general surgery, neurology, interventional radiology, and telehealth/telemedicine. Terry is a member of the ICD10monitor editorial board and a popular panelist on Talk Ten Tuesdays.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Frank Cohen shows you how to leverage the Comprehensive Error Rate Testing Program (CERT) to create your own internal coding and billing risk assessment plan, including granular identification of risk areas and prioritizing audit tasks and functions resulting in decreased claim submission errors, reduced risk of audit-related damages, and a smoother, more efficient reimbursement process from Medicare.

April 9, 2024
2024 Observation Services Billing: How to Get It Right

2024 Observation Services Billing: How to Get It Right

Dr. Ronald Hirsch presents an essential “A to Z” review of Observation, including proper use for Medicare, Medicare Advantage, and commercial payers. He addresses the correct use of Observation in medical patients and surgical patients, and how to deal with the billing of unnecessary Observation services, professional fee billing, and more.

March 21, 2024
Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets

Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets

Explore the top-10 federal audit targets for 2024 in our webcast, “Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets,” featuring Certified Compliance Officer Michael G. Calahan, PA, MBA. Gain insights and best practices to proactively address risks, enhance compliance, and ensure financial well-being for your healthcare facility or practice. Join us for a comprehensive guide to successfully navigating the federal audit landscape.

February 22, 2024
Mastering Healthcare Refunds: Navigating Compliance with Confidence

Mastering Healthcare Refunds: Navigating Compliance with Confidence

Join healthcare attorney David Glaser, as he debunks refund myths, clarifies compliance essentials, and empowers healthcare professionals to safeguard facility finances. Uncover the secrets behind when to refund and why it matters. Don’t miss this crucial insight into strategic refund management.

February 29, 2024
2024 SDoH Update: Navigating Coding and Screening Assessment

2024 SDoH Update: Navigating Coding and Screening Assessment

Happy World Health Day! Our exclusive webcast is just $99 for a limited time! Use code WorldHealth24 at checkout before April 12th to claim this discount.

Dive deep into the world of Social Determinants of Health (SDoH) coding with our comprehensive webcast. Explore the latest OPPS codes for 2024, understand SDoH assessments, and discover effective strategies for integrating coding seamlessly into healthcare practices. Gain invaluable insights and practical knowledge to navigate the complexities of SDoH coding confidently. Join us to unlock the potential of coding in promoting holistic patient care.

May 22, 2024
2024 ICD-10-CM/PCS Coding Clinic Update Webcast Series

2024 ICD-10-CM/PCS Coding Clinic Update Webcast Series

HIM coding expert, Kay Piper, RHIA, CDIP, CCS, reviews the guidance and updates coders and CDIs on important information in each of the AHA’s 2024 ICD-10-CM/PCS Quarterly Coding Clinics in easy-to-access on-demand webcasts, available shortly after each official publication.

April 15, 2024

Trending News

Happy World Health Day! Our exclusive webcast, ‘2024 SDoH Update: Navigating Coding and Screening Assessment,’  is just $99 for a limited time! Use code WorldHealth24 at checkout.

SPRING INTO SAVINGS! Get 21% OFF during our exclusive two-day sale starting 3/21/2024. Use SPRING24 at checkout to claim this offer. Click here to learn more →