In the information security space, most conversations around medical records revolve around unauthorized access to patients' health information. But providing for legitimate, authorized access to records is also important. In recent weeks, nine healthcare organizations have paid substantial financial settlements with the Office for Civil Rights ( OCR) at the U.S. Department of Health and Human Services ( HHS) for failing to provide patients the required "right of access" to their own health records.
What is happening?
The OCR is in the midst of a campaign called the HIPAA Right of Access Initiative, which it launched last year. The OCR is the same federal agency tasked with investigating HIPAA violations when covered entities like hospitals and medical clinics violate the HIPAA Privacy Rule by not properly protecting patients' protected health information (PHI). But the HIPAA Privacy Rule also establishes an individual's right to access their own health information. The initiative investigates patient claims that they were denied this right.
What records can I request?
HIPAA specifies a "designated record set" that everyone has a right to access, including:
- Medical records and billing records
- Enrollment, payment, claims adjudication, and case management systems or other records that are used to make decisions about individuals
This includes insurance information, clinical laboratory test results, medical images (such as X-rays), wellness and disease management program files, and clinical case notes.
What information is not covered?
A covered entity does not need to provide information that is not involved in patient care, including business planning, development, and management records, such as a hospital’s peer review files or practitioner or provider performance evaluations. The Privacy Rule also expressly excludes two categories of information from the right of access:
- Psychotherapy notes, which are the personal notes of a mental healthcare provider documenting or analyzing the contents of a counseling session, that are maintained separately from the rest of the patient’s medical record.
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
What happened in the settlements?
The OCR settled its first case in September 2019, and its ninth just this week. Here is a sampling of the "right of access" failures the agency addressed.
- A patient of NY Spine Medicine received some of her requested medical records, but not the diagnostic films specifically requested. NY Spine agreed to take corrective actions and pay $100,000.
- A mother asked Dignity Health, operators of St. Joseph’s Hospital and Medical Center, for a copy of her son's medical records. Only after multiple requests and the OCR's investigation did the operator provide the records to the mother, more than 22 months later. Dignity Health, based in Phoenix, Arizona, paid $160,000 and must take corrective actions.
- A daughter was unable to obtain her father's medical records from Massachusetts-based Beth Israel Lahey Health Behavioral Services. The mental health network will pay $70,000 and adopt a corrective action plan.
Conclusion
Roger Severino, OCR director, sums it up best. "It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when healthcare providers don’t take their HIPAA obligations seriously," he said in a statement. "OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients."
Related: HIPAA Compliant Email: the Definitive Guide.