HHS Issues 17th HIPAA 'Right of Access' SettlementMeanwhile, Compliance Deadline Looms for Regs Mandating Records Access via Smartphones
Federal regulators are continuing their campaign to ensure patients have timely access to their health records as required under HIPAA. The Department of Health and Human Services has issued its 17th settlement in a case involving failure to fulfill a patient's request to access records.
Arbour Inc., a behavioral health services organization based in Jamaica Plain, Massachusetts that operates under the name Arbour Hospital, has agreed to pay $65,000 and take corrective actions as part of the records access settlement, according to the HHS Office for Civil Rights.
"Healthcare providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care," says Robinsue Frohboese, OCR's acting director.
The latest settlement comes as new records access requirements loom.
Information blocking and health IT interoperability regulations under the 21st Century Cures Act, which have a compliance deadline of April 5, require, for example, that organizations provide patients with access to "core data" in their electronic records via smartphones and standardized application programming interfaces.
The Arbour Case
OCR says that in July 2019, a complaint was filed with the agency alleging that Arbour failed to take timely action in response to a patient's records access request made in May 2019.
Although OCR says it provided Arbour with technical assistance on the HIPAA right of access requirements, later in July 2019, OCR received a second complaint alleging that Arbour still had not responded to the patient's records access request.
OCR initiated an investigation and determined that Arbour's failure to provide timely access was a potential violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt, or within 60 days if an extension is applicable. Under proposed changes to the HIPAA privacy rule, OCR is considering reducing to 15 days the time in which covered entities must fulfil patients' requests to access their health information.
As a result of OCR's investigation, Arbour finally provided the patient with a copy of their requested records in November 2019, more than five months after the patient made the request, the agency says
Arbour did not immediately respond to Information Security Media Group's request for comment.
The resolution agreement in the case requires Arbour to take a number of corrective actions, including:
- Develop, maintain, revise and distribute its patient record access policies and procedures to comply with the HIPAA Privacy Rule;
- Provide training for all workforce members and business associates who are involved in receiving or fulfilling patients' requests for access to records;
- Apply appropriate sanctions against workforce members who fail to comply with the access policies;
- Implement a process for reviewing business associates' performance with regard to access requests and responses and terminating relationships with BAs that fail to comply.
HHS OCR launched its "right of access" enforcement initiative in April 2019. Since then, the agency's 17 settlements in these cases have had financial penalties ranging from $3,500 to $200,000.
While most of those settlements were issued in 2020, three settlements have been announced so far this year (see: Sharp Healthcare Latest to Be Fined for Records Access Failure).
"OCR identified widespread failure to provide patients with HIPAA-required access to their health information as a major barrier for patients to be engaged in their own healthcare," says regulatory attorney Paul Hales of Hales Law Group. "I see no reason why OCR will not continue its 'right of access' enforcement initiative" under the new Biden administration, he adds.
The new regulations that require providing patients with access to their records via smartphones and standardized APIs also require patients to have access "without delay" to other specific health information, such as physician notes, that historically has been difficult to obtain.
The two new regulations "are more complex than HIPAA’s patient access standard," Hales says. "Information blocking violations can result in serious civil money penalties and 'additional disincentives' that have not yet been defined," he says.
"The degree of initial enforcement remains to be seen. However, organizations’ senior management should make provision of compliance resources, expertise and training a high priority right now."
Complying with the two new regulations will represent a paradigm shift for many organizations, regulatory attorney Vimala Devassy of the law firm BakerHostetler said during a recent panel discussion at the Information Security Media Group Virtual Cybersecurity Summit: Healthcare.
"For so long, providers have curated health information for their patients and held their hands and explained tough lab results," she said.
"It's a little bit of an uphill battle to switch gears and have situations where a patient might be learning about a cancer diagnosis or a debilitating disease in front of their computers rather than in the office with the immediate comfort of physician right there to distill the information."