Prior to the holiday, the OCR settled its thirteenth enforcement action under the HIPAA Right of Access Initiative, which involved a primary care physician practicing in the State of Georgia.  Dr. Peter Wrobel, M.D., P.C., operating under the fictitious name of Elite Primary Care, became subject to an OCR investigation (twice) for his alleged violations of the HIPAA Privacy Rule.

In 2019, the OCR received a complaint stating that Elite Primary Care failed to provide a patient timely access to his medical records.  The OCR assisted Elite Primary Care by providing technical assistance, which ultimately led to the OCR closing the complaint.  Just a few months later, the OCR received a second complaint from the same patient stating he still did not receive his medical records.  As a result, Dr. Wrobel must pay a Resolution Amount of $36,000.00 and implement a two year Corrective Action Plan following the OCR’s second investigation.

Again, yet another single  patient complaint leads to a substantial penalty under the Right of Access Initiative.  Although not specifically stated within the Corrective Action Plan, the steep Resolution Amount seems like a by-product of the OCR’s frustration with providing technical assistance and receiving a second complaint involving the same patient and issue.  For the entire press release, please click here.

Additionally, for more information on past enforcement actions under the HIPAA Right of Access Initiative, please click here.

The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently settled four more investigations under the HIPAA Right of Access Initiative, which totals 11 settlements thus far.  In September, the OCR released a press release detailing its settlement of five additional actions under the HIPAA Right of Access Initiative. In the latest settlements, the OCR came down harder on  providers that failed to provide timely access to a patient’s protected health information by imposing six-figure fines (in two instances) and two year Corrective Action Plans on all four occasions.  In addition, the OCR Director delivered some stern remarks regarding the provider’s obligations with respect to the HIPAA Privacy Rule.

I.         Dignity Health

On October 7th, the OCR announced the settlement of its eighth HIPAA Right of Access Initiative investigation involving Dignity Health d/b/a St. Joseph’s Hospital and Medical Center (“Dignity Health”), which is a large, acute care hospital with various clinics based in Phoenix, Arizona. The OCR received a complaint from a mother stating that she made multiple requests for her son’s medical record in acting as her son’s personal representative, to no avail. Dignity Health provided some documents, but failed to properly respond to the mother’s request.

The OCR  determined that Dignity Health failed to provide the personal representative timely access to her son’s protected health information, which ultimately led to the OCR delivering a $160,000 “Resolution Amount” (as defined in the Corrective Action Plan)  and mandating Dignity Health to enter into a two year Corrective Action Plan.  For the record, this Resolution Amount was higher than all five of the previous settlement amounts announced by the OCR combined. The Corrective Action Plan orders the implementation of additional HIPAA policies and procedures, reporting requirements, training, and the submission of annual reports to HHS.  You can find the entire OCR announcement regarding Dignity Health here.

II.        NY Spine Medicine

Shortly following the OCR’s announcement regarding its settlement with Dignity Health, the OCR released yet another announcement regarding the settlement of its ninth investigation under the HIPAA Right of Access Initiative involving NY Spine Medicine, which is a private medical practice specializing in neurology and pain management with locations in New York, NY and Miami Beach, Florida. Last year, the OCR received a complaint from a woman stating that she made a request to NY Spine Medicine for her medical records, and again, the provider failed to the deliver the requested medical records after the woman made several inquiries.

The OCR determined that NY Spine Medicine failed to provide the patient access to her protected health information in a designated record set.  In fact, as of the settlement date, NY Spine Medicine still had not provided the patient with her requested medical records. Similar to the Dignity Health settlement, the OCR handed down a $100,000 Resolution Amount to NY Spine Medicine along with a two year Corrective Action Plan, which included similar mandated provisions as the Dignity Health Corrective Action Plan.  Most notably, the OCR Director, Roger Severino, provide some colorful commentary in the press release by stating: “No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message.” You can find the entire OCR announcement regarding NY Spine Medicine here.

III.      Riverside Psychiatric Medical Group

The OCR announced its tenth enforcement action under the Right of Access Initiative involving Riverside Psychiatric Medical Group, which is a group practice focused in mental health and substance abuse located in Riverside, California.  Last year, the OCR received two complaints from an individual stating that Riverside Psychiatric Medical Group failed to provide her requested medical records. After the initial complaint, the OCR even provided technical assistance to Riverside Psychiatric Medical Group.  However, even after the OCR assistance, the patient still did not receive her medical records and filed a second complaint. As such, the OCR issued a $25,000 Resolution Amount and mandated a two year Corrective Action Plan similar to the mandatory Corrective Action Plans in the Dignity Health and NY Spine settlements. You can find the entire OCR announcement regarding Riverside Psychiatric Medical Group here.

IV.      Dr. Bhayani

Within the past few days, the OCR announced its eleventh enforcement action, which was also the first enforcement against a private practitioner. Dr. Rajendra Bhayani specializes in ear, nose and throat medical services with an office located in New York.  Over two years ago, a patient sent a complaint to the OCR stating that she had failed to receive access to her medical records.  Yet again, the OCR responded by providing Dr. Bhayani with technical assistance.  In the summer of last year, the OCR received a second complaint from the same patient, which stated she still had not received her medical records despite the OCR’s efforts to assist the doctor. The OCR responded by issuing $15,000 Resolution Amount and implementing a two year Corrective Action Plan, which includes a six  year document retention requirement. In other words, the OCR will have a close eye on the doctor until October 2026. You can find the entire OCR announcement regarding Dr. Bhayani here.

V.       Moving Forward

The message is loud and clear, Director Severino. The OCR plans to continue its strict enforcement of the Privacy Rule under the HIPAA Right of Access Initiative.  Based on the latest wave of settlements, it seems that all it takes is the denial or inadequate response to a single patient or personal representative’s request to access their medical records and the provider could be on the hook for a six-figure fine. In addition to the Resolution Amounts, the provider could incur additional expenses relating to the compliance with a Corrective Action Plan, whether it is hiring additional staff, drafting new policies, or revamping its entire recordkeeping processes. Moving forward, all providers should diligently respond to all requests for patient records and ensure its policies and procedures comply with the Privacy Rule.

**** Update: University of Cincinnati Medical Center

Following the initial posting of this blog, the OCR subsequently announced the settlement of its twelfth investigation under the HIPAA Right of Access Initiative, which involved the University of Cincinnati Medical Center, LLC (“UCMC”). UCMC is an affiliate of the University of Cincinnati and offers a wide range of medical services within the Greater Cincinnati metropolitan area.  In 2019, the OCR received a complaint from a patient stating that UCMC failed to deliver an electronic copy of her health records to her lawyers.  Upon further investigation, the OCR determined that UCMC failed to timely respond to the patient’s request to deliver her medical records to a third-party, which is an permissible action under the Privacy Rule.  As a result, the OCR issued a $65,000 Resolution Amount and mandated a two year Corrective Action Plan.  You can find the entire OCR announcement regarding UCMC here.

If you have any questions regarding the Right of Access Initiative and how it affects your practice or healthcare business, please do not hesitate to contact us.

Covered entities beware: a timing pitfall lurks within the recently adopted rules prohibiting information blocking.  We have posted about OCR’s “Right to Access Initiative” and numerous enforcement actions taken to make sure that covered entities respond to patient access requests in a timely manner.  The HIPAA Privacy Rule requires covered entities to respond to access requests within 30 days, but OCR has emphasized that this is an “outer limit and covered entities are encouraged to respond as soon as possible.”

Soon, when compliance with the rules adopted by the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC) is required, covered entity health care providers will have another outer limit to contend with when responding to patient access requests.  These rules implement certain provisions of the 21st Century Cures Act and are often referred to as the “Information Blocking rules”, though they also address interoperability of electronic health information and the ONC IT Certification Program.

The Information Blocking rule incorporates and cross-references many of the HIPAA Privacy Rules, including the rule giving individuals the right to access their PHI (45 C.F.R. 164.524).  The Information Blocking rule also provides specific exceptions for activities that will not be considered information blocking.  The exceptions generally align with (and cross-reference) provisions in the HIPAA Privacy Rule.  For example, the “preventing harm” exception aligns with the HIPAA access right exception that allows a covered entity to deny an access request when a licensed health care professional determines, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to the individual or another person.

Only one exception, however, includes an “outer limit” for response, and the outer limit is much shorter than the 30-day limit for responding to HIPAA access requests.

The “infeasibility exception” applies when certain events or circumstances prevent the health care provider from responding to an access request.  These include “uncontrollable events” such as (among others specified in the rule) public health emergencies, internet service interruptions, and labor strikes; the inability to segment the requested information from certain types of other electronic health information, such as information that cannot be made available by law; or where specified circumstances exist that make responding to the request infeasible.  However, if a health care provider denies an individual’s access request under the infeasibility exception, the provider must respond, in writing, to the individual within ten business days of receipt of the request, explaining why providing the requested access is infeasible.

HHS recently extended the date for compliance with the Information Blocking rule from November 2, 2020 to April 5, 2021, but covered entity health care providers may want to take steps now to account for the shortened response time for access requests that may meet the “infeasibility exception”.  Reviewing and amending business associate agreements and HIPAA policies and procedures to incorporate faster turn-around times are good places to start.  Training personnel about the changes and documenting all activities undertaken by the covered entity to comply are other good ways to demonstrate serious compliance efforts.

Mental Health/substance abuse providers and providers treating HIV/AIDS patients are held to a higher standard when it comes to protecting medical records, requiring additional levels of consent and analysis prior to productions. However, recent settlements published by the Office of Civil Rights of the Department of Health and Human Services (OCR) on September 15, 2020 remind all providers that patients and their authorized representatives have a right to access their records.

Right to Access Initiative:

In 2019 OCR launched the Right to Access Initiative based on concerns that had arisen that health care providers were not responding to request for records in a timely manner. In 2019, OCR’s Right to Access Initiative resulted in financial penalties and corrective action plans for two providers who had failed to provide patients with timely access to their records as required under HIPAA. Bayfront Health St. Petersburg, a Florida hospital, paid $85,000 and adopted a corrective action plan requiring one year of monitoring after a patient’s complaint to OCR led to the release of records nine months after the initial request. Korunda Medical, LLC., a primary care and pain management provider, also in Florida, paid the same amount and agreed to a similar one-year compliance monitoring arrangement as a result of its delays in forwarding records to a third party, failure to provide records in an electronic format, and overcharging for the records.

The Right to Access Initiative suffered a setback on January 23, 2020 when a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information] of an individual . . . in an electronic format.” Additionally, the court ruled that the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party. Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020). OCR has posted a notice that its previous third party directive guidance is restricted by the Ciox order but also reaffirmed that the right of individuals to access their own records and the fee limitations that apply when exercising this right has not changed.

Five New Settlements:

On September 15, 2020, OCR issued a press release announcing five additional settlements pursuant to its HIPAA Right to Access Initiative. All the settlements involved failure to produce records to just one individual. Three of the five settlements involved providers of mental health/psychiatric services, one provider treated HIV/AIDS patients and one provider helped with pain management. Additionally, three of the five settlement involved continued complaints from the same individual after “technical assistance” had been provided by OCR to the providers. The penalties ranged from $3,500 to $80,000. All providers also agreed to sign corrective action plans requiring government oversight for either one or two years.

These five additional settlements demonstrate that OCR continues to take the issue of right to access seriously, and that a complaint from one individual is enough to trigger monetary penalties and a correction action plan with government monitoring. Providers, including those who provide mental health and substance abuse services, should review their HIPAA policies and procedures and ensure that they are being followed and requested documents are being provided in a timely manner.

A patient asks her doctor to send her test results to an app the patient has downloaded on her phone.   The doctor worries that the app is not secure and that the patient might not understand the security risks.  What should the doctor do?

Covered entity health care providers and their business associates likely need to update their HIPAA Access Rights Policies and Procedures to address this scenario.  Rules recently adopted by Office of the National Coordinator (ONC) to implement certain provisions of the 21st Century Cures Act prioritize patient choice when it comes to requests for electronic health information (EHI).

According to ONC, the information blocking rule:

[S]trongly encourages providing individuals with information that will assist them in making the best choice for themselves in selecting a third-party application. We believe that allowing actors to provide additional information to individuals about apps will assist individuals as they choose apps to receive their EHI … . Individuals concerned about information privacy and security can gain a better understanding about how the third-party apps are using and storing their EHI, how individuals will be able to exercise any consent options, and more about what individuals are consenting to before they allow the app to receive their EHI.  Practices that purport to educate patients about the privacy and security practices of applications and parties to whom a patient chooses to receive their EHI may be reviewed by OIG or ONC, as applicable, if there was a claim of information blocking. However, we believe it is unlikely these practices would interfere with the access, exchange, and use of EHI if they meet certain criteria.

ONC warns that information provided to the patient about the privacy or security of the app must:

  1. Focus on any current privacy and/or security risks posed by the technology or the third-party developer of the technology;
  2. Be factually accurate, unbiased, objective, and not unfair or deceptive; and
  3. Be provided in a non-discriminatory manner. For example, all third-party apps must be treated the same way in terms of whether or not information is provided to individuals about the privacy and security practices employed.

Ultimately, it is the individual’s decision as to whether to use the app to access health information:

To be clear, an actor [such as a provider or its business associate] may not prevent an individual from deciding to provide its EHI to a technology developer or app despite any risks noted regarding the app itself or the third party developer.

The Dutch Data Protection Authority has levied a fine of 460,000 euros on Haga Hospital for insufficient security following an investigation revealing that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person.

In addition, if the hospital has not improved security before October 2, 2019, it must pay 100,000 euros every two weeks, up to a maximum of 300,000 euros.

According to DutchNews.nl, the authority’s chairman Aleid Wolfsen said: “The relationship between a healthcare provider and a patient should be completely confidential. Also within the walls of a hospital. It doesn’t matter who you are.”

Key takeaways:
  • Have adequate logs in place: The hospital must regularly check who consults which file.
  • Good security requires authentication that involves at least two factors.

Details from the Dutch Data Protection Authority.

Data subject access rights and your medical practice: The UK Information Commissioner’s Office (ICO) issues advice.

Medical practices have reported a significant rise in subject access requests (SARs) since the GDPR came into effect in May last year, which is a similar trend in other sectors. Here are some points of advice from the ICO:

  • General Practitioners (GPs) cannot query the reason for requesting the information.
  • Providing a patient with online access to their health records may be sufficient.
  • SAR response may be provided electronically (subject to safeguards such as encryption).
  • GPs can ask the patient or their representative to clarify the information that would be acceptable to satisfy the SAR.

Where an SAR is made on behalf of a patient by their legal representative:

  • GPs may ask for evidence of clear, specific authority of the data subject to exercise their right of access
  • If a GP thinks that more information than is necessary is being requested, they can check that the patient is aware of the full extent of what is being sought
  • In cases where practices have genuine concerns about giving out excessive information, they can provide data directly to the patient

Details from the UK ICO.

We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights.

In an email sent to listserv participants on July 12, 2016 from OCR-SECURITY-LIST@LIST.NIH.GOV, the U.S. Department of Health and Human Services (HHS) included the following list of areas of focus for the desk audits:

Requirements Selected for Desk Audit Review
Privacy Rule
Notice of Privacy Practices & Content Requirements  [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
Breach Notification Rule
Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule
Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

As discussed in our prior post, HHS issued guidance regarding individuals’ rights to access PHI earlier this year. Here is a link to this PHI access guidance:  Individuals’ Right under HIPAA to Access their Health Information | HHS.gov

The HHS access guidance stresses that Covered Entities should provide individuals with “easy access” to their PHI and cannot impose “unreasonable measures” on the individuals with respect to this right to access. The HHS access guidance provides important information regarding the different rules that apply when an individual provides a signed authorization for release of their PHI versus when an individual is really making a request for access to his or her PHI.

If an individual is asking for the PHI to be provided to him or her, this is really a request for access even if the individual is providing a signed authorization for release of the PHI.

If the individual is asking the PHI to be directed to a third party, this can be either a situation when a signed authorization is needed or can be an access request, depending on who is really originating the request (the individual or the third party). A Covered Entity cannot require an individual to provide a signed authorization to make an access request.  A Covered Entity can require that the access request be in writing and can require use of a form as long as it does not impose undue burden on the individual’s right to access.

The HHS access guidance also indicates that if an individual requests that his or her PHI be provided by email, the Covered Entity is required to do so and further, if the individual requests in writing that the PHI be provided by unsecure, unencrypted email, the Covered Entity is required to do so after notifying the individual in writing of the risks of this method of transmission. (This notice can be included on the access request form.)

As a result of the HHS access guidance, a Covered Entity may need to review and amend its HIPAA Privacy Policies and Procedures governing individual rights with respect to access to PHI, the form it uses for individual access requests, and its employee training protocols to be sure employees aren’t requiring a patient  (or member, in the case of a health plan Covered Entity) to sign an authorization form when the patient is requesting access to PHI.

The private sector is still not prepared – and generally lacks the knowledge – to respond effectively to a major cyber breach, according to 80 percent of respondents in a survey released by Fox Rothschild LLP.

“There is an alarming lack of awareness at the senior level when it comes to data governance practices in the private sector” said Fox partner Scott Vernick, who chairs the firm’s data security and privacy practice.

In its survey of cybersecurity professionals and risk experts across insurance, legal and other industries, Fox found that despite companies’ pouring real money and resources into data security:

  • 65 percent said the private sector is only “somewhat prepared” to respond to a data breach;
  • 15 percent stated it is “not prepared” at all; and
  • Only 20 percent said the private sector is “very prepared.”

The survey’s 75 respondents also expressed significant concern about senior management’s understanding of how data is, and can be, vulnerable. In fact, more than 85 percent said senior business leaders could “not accurately” or only “somewhat accurately” identify and address their companies’ data collection and storage practices.

“Companies in all sectors need to understand what types of data they collect, who has access to it and how it is stored well before a breach takes place,” Vernick added. “If they don’t follow best practices, it will cripple their ability to respond effectively and lead to costly litigation.”

In the debate over encryption and “access to data,” 84 percent of the Fox survey respondents favored the private sector’s right to guard customer data against government access in the event data was encrypted and otherwise not accessible. Nearly 75 percent also believe the private sector should be permitted to tell customers when the government subpoenas their data.

Survey respondents cited the following areas as requiring the most improvement by the private sector when it relates to cybersecurity strategy:

  • Employee training (29 percent);
  • Vendor management (24 percent);
  • Security and protection of systems, networks, firewalls and applications (19 percent);
  • Funding and resources (19 percent);
  • Encryption of data (5 percent); and
  • BYOD security (4 percent).

Daily struggles to protect personal data from hacking, phishing, theft and loss make it easy to forget that HIPAA is not just about privacy and security.  It also requires covered entities (CEs) to make an individual’s protected health information (PHI) accessible to the individual in all but a few, very limited circumstances.  Recent guidance published by the Department of Health and Human Services (HHS Guidance) emphasizes the need for covered entities to be able to respond to an individual who says “I want my PHI” in a way that complies with HIPAA and state law access requirements, even when these requirements seem confusing and contradictory.

HIPAA authorizations are, perhaps, one of the most commonly misunderstood and misused forms. The HHS Guidance helpfully reminds CEs that authorizations are not needed for a CE to share PHI for treatment, payment and health care operations, and, of course, a CE can share PHI with a business associate under a HIPAA-compliant business associate agreement.  But when an individual requests PHI, whether directly or through a third party, it’s critical that the CE understand whether it is an access request or a request for disclosure pursuant to a HIPAA-compliant authorization.

My law partner and fellow HIPAA enthusiast Beth Larkin comments on some of the difficulties a CE faces when responding to an individual’s access request, highlighting the need to distinguish between an access request and disclosure pursuant to an authorization:

The HHS guidance wants CEs to provide individuals “easy access” to their health information.  CEs still, however, have to deal with other HIPAA requirements, including verification of the identity of the requestor, securing the PHI from unauthorized access and determining breach if there is unauthorized access.  Also, it is not always clear whether a patient is exercising an access right or requesting PHI pursuant to an authorization.  The patient may not know the difference and just indicates he or she wants copies of records and may present either an access request or an authorization form.

The HHS Guidance explains that while a CE can require an individual to submit a written access request, it can’t do so in a manner that creates a barrier or would delay the individual’s access:

For example, a doctor may not require an individual: …  [t]o use a web portal for requesting access, as not all individuals will have ready access to the portal …

If a CE uses a written form for individuals to request access to records (and ensures the form is readily accessible in multiple ways), the CE should give individuals as much information as possible about each form.

For example, as illustrated in the chart included in the HHS Guidance, a HIPAA authorization permits, but does not require, a CE to disclose the PHI.  An access request requires the disclosure (and requires the CE to act on the request within 30 days).  In addition, HHS explains that fees charged by the CE are limited when the individual requests access, and not when PHI is requested pursuant to an authorization (though certain charges might be prohibited under HIPAA regulations proscribing the receipt of remuneration for the disclosure of PHI). Finally, HHS notes that PHI sent pursuant to an authorization must be sent securely, while an individual can request that PHI sent pursuant an access request can be sent through an unsecure medium (though the risks of such a choice should be communicated to the individual if feasible).  If the CE makes all of this information clear and encourages the individual to ask questions as to which form should be used, it seems reasonable for a CE to then be able to rely on the individual’s choice of form.

When a third party requests an individual’s PHI, though, it can be especially difficult for a CE to figure out whether an authorization form has been sent when an access request would have been appropriate. Here, HHS suggests the CE reach out to the individual:

Where it is unclear to a covered entity, based on the form of request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to a third party, the entity may clarify with the individual whether the request was a direction from the individual or a request from the third party.

In short, if a HIPAA authorization is really an individual’s misguided attempt to say “I want my PHI!”, the CE will need to make sure it follows the individual access right requirements in responding.