The HHS Office for Civil Rights (OCR) continued its laser focus on HIPAA rules involving patient access to medical records with a series of three settlements that spotlighted different aspects of the patient right of access.
In one settlement, OCR got involved because a medical center failed to send requested records to a woman’s attorney.[1] In another settlement, OCR stepped in because a solo practitioner failed to respond to record requests.[2] And in the third settlement, OCR fielded a complaint that a psychiatry practice wasn’t providing access to patient records.[3]
The payments in the settlements ranged from $15,000 for the solo practitioner to $65,000 for the medical center. In each case, the covered entities will be subject to OCR corrective action plans (CAPs) for the next two years.
Importantly, the three settlements, which come on the heels of nine prior settlements in 2020, indicate that OCR’s focus on the right of access isn’t letting up. “HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said OCR Director Roger Severino in a statement.
California-based Riverside Psychiatric Medical Group (RPMG) agreed to take corrective actions and pay $25,000 to settle a potential violation of the right of access standard that involved psychotherapy notes. The group specializes in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology and substance abuse disorders.[4]
In March 2019, OCR received a complaint from a woman alleging that RPMG had failed to provide her with a copy of medical records despite multiple requests to the medical group beginning the month before. OCR provided technical assistance to RPMG on how to comply with the right of access requirements and then closed the matter.
Access Denial Must Include Reason
However, in April 2019, OCR received a second complaint stating that the medical group still had not provided the patient with access to her medical records. OCR initiated an investigation and determined that RPMG’s failure to take action was a potential violation of the HIPAA right of access standard.
For its part, RPMG claimed that it did not need to comply with the access request because the requested records included psychotherapy notes. However, OCR pushed back on that claim: “While the HIPAA Rules do not require production of psychotherapy notes, they do require covered entities (1) to provide requestors a written explanation when it denies any records request in whole or in part (which RPMG did not do), and (2) to provide the individual access to his or her medical records other than psychotherapy notes (and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding).”
As a result of OCR’s investigation, the medical group sent the individual all the requested information in her medical record, excluding psychotherapy notes, in October 2020.
The two-year CAP requires RPMG to review its right of access policies and procedures within 30 days, revising if necessary to reflect satisfactory compliance with 45 C.F.R. § 164.530(j) and 45 C.F.R. § 164.524 . Then, the medical group has 60 days to provide HHS with those policies and procedures for review, and another 30 days to make any revisions necessary and resubmit them.
Once the revised access policies and procedures are approved, RPMG has 30 days to implement them. The medical group must obtain verification from all appropriate members of its workforce and relevant business associates (BAs) stating that they understand and shall abide by the procedures. RPMG also must reassess the policies and procedures and update as necessary at least annually.
