HIPAA: Second Settlement this Year Related to Right to Access Initiative
On December 12, 2019, the Office for Civil Rights (OCR) announced its second enforcement action this year related to an individual’s right to access his/her protected health information (PHI). Korunda Medical, LLC (Korunda) settled with OCR for $85,000 for a potential violation of HIPAA’s Right of Access Initiative, designed to ensure covered entities are providing individuals with access to their PHI in accordance with HIPAA’s requirements.
In March 2019, OCR received a complaint from a Korunda patient alleging that Korunda failed to timely forward the individual’s PHI in an electronic format to a third party. In addition to Korunda’s delay in providing access to the PHI, Korunda did not provide access in the format requested, and charged more than a reasonable cost-based fee.
OCR first attempted to provide Korunda technical assistance on how to afford proper access to the individual in an attempt to close the complaint. After Korunda’s continued failure to provide the proper access in a timely manner, a second complaint was made to OCR, at which time OCR opened an investigation into Korunda’s HIPAA compliance.
The Korunda settlement is OCR’s second enforcement of the Right of Access Initiative, with the first also resulting in a $85,000 settlement. In a press release from OCR announcing the Korunda settlement, OCR’s Director Roger Severino, stated, "For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law."
In the wake of OCR’s enforcement actions involving individuals’ right to access his/her PHI, covered entities should carefully review HIPAA’s right to access requirements, including OCR’s Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 guidance. We have summarized certain of the requirements here:
Timeframe for Response: The covered entity must permit the individual to inspect and/or obtain a copy of the individual’s PHI maintained in a designated record set (or deny access where permitted) no later than 30 days after receiving the individual’s request. OCR states the “30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible.” HIPAA provides an option to extend the time by an additional 30 days if proper procedures are followed (including the requirement to inform the individual of the reason for the delay).
Form and Format of the PHI: PHI must be provided in the form and format requested by the individual, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual. Note that OCR states that email is considered readily producible by all covered entities. If an individual requests transmission by unsecured email, the covered entity should warn the individual of the risks of transmitting PHI in an unsecured manner and generally speaking, the covered entity is not responsible for disclosure of PHI while in transmission if individual still wants the PHI transmitted in an unsecured manner, after being warned.
Format of Individual’s Request: A covered entity may require individuals to request access in writing, and may require use of the covered entity’s form, as long as the covered entity informs individuals of this requirement in advance (e.g., in the Notice of Privacy Practices) and it does not create a barrier to or unreasonably delay the individual from obtaining access to the PHI. Note that covered entities cannot require individuals to fill out a full HIPAA authorization to obtain access to his/her own records, as OCR has stated this would be an impermissible barrier to access.
Right to Direct Copy of PHI to a Third Party: An individual also has a right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual. The individual’s request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI. This is still considered an “access” request and is subject to the all requirements for responding to an individual’s access request, such as the fee limitations below. Where it is unclear, based on the form of a request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to the third party, the covered entity should clarify with the individual whether the request was a direction from the individual or a request from the third party.
Fees: HIPAA strictly limits the fees that individuals may be charged for access to PHI. The fee charged may include only the cost of: (1) labor for copying the PHI once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive), if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual in advance. Fee may not include costs associated with verification; documentation; searching for or retrieving PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed in (1) – (4). Individuals must be informed in advance of approximate fee that may be charged.
In addition to Korunda’s $85,000 settlement, Korunda also entered into a Corrective Action Plan (CAP) with OCR, which requires Korunda to submit information to OCR every 90 days regarding all access requests received, and supporting documentation for any denied requests for access, during the one year term of the CAP. Korunda also must update its HIPAA policies and procedures and provide HIPAA training to workforce members.