In 2019, the Office for Civil Rights in the U.S. Department of Health and Human Services announced that it was going to be pursuing an enforcement priority of protecting a patient’s right under HIPAA’s Privacy Rule to receive a copy of the patient’s medical records upon request in a timely fashion pursuant to the requirements of HIPAA.
In short, HIPAA’s Privacy Rule requires three things when it comes to a patient’s right to access with respect to the patient’s medical records. First, in general terms, upon request, a covered entity (such as a doctor’s office) must provide a copy of the patient’s medical records within 30 days or less.
Second, the format of the medical records provided to the patient must be in the format (i.e., either hard copy or electronic) requested by the patient.
And third, the medical provider can only charge a reasonable, cost-based fee for providing the copy of the medical records to the patient. Specific guidelines are set forth in HIPAA for what a provider can (and cannot) charge for providing a copy of medical records to the patient. For example, a medical provider can charge a fee for the labor involved in copying the records, but not for the labor in searching and locating the records. Additionally, a medical provider can charge the cost of supplies in providing the medical records in an electronic format (such as the actual cost of a thumb drive). Third, a provider can charge for postage if the patient requests that the medical records be mailed to the patient. All providers should review the specifics of what can be charged for medical records to make sure that patients are not being overcharged for copies of records that they request.
Since the OCR announced its Right to Access Initiative in 2019, it has announced a total of 19 different enforcement actions that have been agreed to between the OCR and a healthcare provider. The most recent was just a few days ago and involved an diabetes and endocrine medical practice in West Virginia. In addition to entering into a corrective action agreement with OCR, the medical practice paid a settlement amount of $5,000. To date, the highest settlement amount required of a healthcare provider alleged to have violated a patient’s right to access under HIPAA’s Privacy Rule has been $160,000.
Clearly, the OCR is not letting up on the enforcement of a patient’s right to access under the enforcement initiative that it began a couple of years ago.
All healthcare providers are encouraged to make sure they have policies and procedures in place to ensure that they are in compliance with the HIPAA’s Privacy Rule and its mandate to provide timely access to patients’ medical records in conformity with the guidelines of HIPAA.