Some covered entities (CEs) refuse to give patients access to their medical records until their bills are paid potentially in violation of the HIPAA privacy rule, according to a top official from the HHS Office for Civil Rights (OCR).
“We still see a lot of complaints where the entity says, ‘We will give you access when you pay your bill,’” said Serena Mosley-Day, senior advisor of HIPAA compliance and enforcement, at the Virtual Thirtieth National HIPAA Summit March 22.[1] But “those are separate and distinct things.” That’s one of the problems that has been revealed under OCR’s Right of Access Initiative, which has led to 17 settlements—three so far this year. The HIPAA right of access requires CEs to give patients access to their protected health information (PHI) in one or more “designated record sets” within 30 days of the request. In the latest resolution agreement,[2] announced March 24, OCR said Arbour Hospital in Massachusetts, which provides behavioral health services, agreed to pay $65,000 to settle a potential violation of the HIPAA privacy rule in connection with its alleged failure to provide a patient with access to their records despite two requests and OCR’s technical assistance. Arbour didn’t admit liability in the settlement.