Yesterday, all at once, OCR announced that it has entered into five new Resolution Agreements — each of them stemming from one or more violations of HIPAA’s right of access afforded to individuals. There are several interesting observations about these new cases that are worth taking note of.
First, although the “penalty” amounts are relatively low, OCR is still definitely intending to set a clear expectation about patients’ right of access afforded under HIPAA. The amounts in these new cases ranged from $3,500 on the low end, which OCR assessed against a psychiatrist in Virginia, and went up to $70,000, which OCR assessed against a large behavioral health service provider in Massachusetts. The other amounts assessed were: $10,000 against a small psychiatric practice in Colorado; $15,ooo against a family medicine clinic in California; and $38,000 against a NYC non-profit organization providing health care, homeless services, advocacy, and legal aid support for people living with HIV/AIDS. Although these numbers might not strike the “the-fear-of-OCR” into covered entities, they are clearly intended to send a message about HIPAA’s right-of-access requirement which has been — at least to-date — enforced less than other areas of HIPAA. However, this will likely change as mandated interoperability and FHIR standards continue to accelerate an individual’s ability to request access to their electronic health information through Apps, and other means; and, so this is definitely a good time for all covered entities to get those HIPAA Patient Access policies and procedures tightened up to strictly comply with HIPAA, as well as the new Information Blocking rules.
The second characteristic that stands out about these cases is that 3 out of 5 of them involved some type of behavioral health provider. The “smallest” case arose out of a patient complaint that was filed with OCR against a psychiatrist with a practice in Virginia alleging that the psychiatrist refused to provide a patient with access to her own PHI. Although OCR initially offered the psychiatrist “technical assistance” with how to comply with the request, when she delayed furnishing the requested information the patient filed another complaint which resulted in OCR taking more formal action. A second case against a small psychiatric practice also arose out of a complaint filed with OCR, which alleged that the practice failed to provide a legal personal representative with access to his minor’s son’s medical records. Finally, the “largest” of the three behavioral health cases also arose out of a complaint filed with OCR alleging that a large behavioral health services provider, which includes a network of practitioners and facilities, failed to provide access to a court-appointed executor (i.e. a personal representative) who was the daughter of a deceased patient.
I think that providers should take note of OCR’s seeming focus on psychiatrists and behavioral health providers as a potential “problematic” source of wrongful denials of request for access to patient information. The unique challenges that arise in the behavioral health context could very well result in a higher frequency of potential “wrongful” denials based on a misunderstanding or misinterpretation of HIPAA’s provisions governing grounds for unreviewable and reviewable denials. There is also another added layer of state-specific laws and regulations governing mental health records which often afford a “higher” level of confidentiality protection that behavioral health providers need to consider. However, it is important to understand that any such “elevated” level of privacy afforded to mental health information does not equate to permitting a provider to deny access to the patient, or the patient’s legally-authorized personal representative. As such, behavioral health providers should spend some time specifically understanding the exact intersection between HIPAA’s requirements, and the laws of their state governing mental health information.
Finally, it’s important to recognize the areas of correction OCR focused on when requiring covered entities to revise their HIPAA right of access policies. Most interestingly, in two of the cases (Housing Works and King MD), OCR required revisions to specifically identify the practice’s methods for “calculating a reasonable cost-based fee for access to PHI, including the methods for calculating costs for: (a) labor for copying the PHI requested by the individual, whether in paper or electronic form (e.g., hourly wage for workforce member copying the requested PHI); (b) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (c) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual.” In two of the other cases, OCR required development and implementation of new HIPAA right to access policies and procedures because the covered entity either did not have any such policy, or their versions were largely not compliant with HIPAA. Finally, in the final case (Wise Psychiatry), OCR found that the practice “recently adopted written policies and procedures … which comply with [HIPAA]” however the practice failed to adhere to its own P&Ps. The take away here is of course for covered entities to revisit their P&Ps governing patient’s right to access to ensure that the details of the HIPAA requirements are captured — and especially recent developments and changes to HHS’s guidance on permitted fees that can be charged in light of the Ciox Health v. Azar decision on January 23, 2020.
HIPAA’s right of access provisions can be reviewed here: 45 CFR 164.524