The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has settled its tenth HIPAA Right of Access Initiative case against the Riverside Psychiatric Medical Group (RPMG). HIPAA, the Health Insurance Portability and Accountability Act of 1996, is U.S. legislation created to improve health coverage standards and combat fraud and abuse related to protected health information (PHI).
RELATED: What is HIPAA? Or is it HIPAA?
OCR enacted the Right of Access Initiative in 2019 to support individuals seeking access to their PHI under the HIPAA Privacy Rule. In this blog, we will explore more about the Privacy Rule and the Right of Access Initiative as well as what its enforcement means for HIPAA covered entities (CEs).
The HIPAA Privacy Rule, enacted in 2003, establishes national guidelines regarding how CEs protect medical records—i.e., PHI and electronic PHI (ePHI). In other words, it sets the standards for HIPAA compliance. Under the rule, CEs must establish appropriate safeguards and set limits on PHI use and disclosure.
RELATED: Permitted Use and Disclosure of Protected Health Information (PHI) Under HIPAA
Furthermore, the Privacy Rule also spells out patients’ rights on how to understand and control (i.e., access) their health information. Upon request, a CE must provide a patient his/her PHI, called a designated record set, within 30 days. It may only charge a reasonable cost-based fee. OCR defines a designated record set as a group of records that comprise:
The Privacy Rule also excludes some records, such as those kept to make certain quality assessments or general business decisions. This includes two “expressly excluded” categories:
OCR announced the HIPAA Right of Access Initiative as an enforcement priority in 2019. The federal agency investigates all HIPAA violations, whether due to a security breach, noncompliance, or an error in right of access denial.
RELATED: Authorized Access to Medical Records is Important, Too
According to the Initiative’s guidance, “Putting individuals ‘in the driver’s seat’ with respects to their health . . . is a key component of health reform and the movement to a more patient centered health care system.” The first OCR case, settled in September 2019, was against Bayfront Health St. Petersburg for failure to provide a mother timely access to her unborn child’s records. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino within the press release. “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” And since the first case, OCR has settled 10 more:
RPMG, based in Riverside, California, is a group practice that specializes in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders. In March 2019, a patient complained to OCR that RPMG failed to send her requested PHI despite asking them repeatedly for two months. OCR contacted RPMG to assist, but the patient filed a second complaint in April after continual noncompliance. At this point, OCR initiated an investigation and found that RPMG failed to take action, committing a potential HIPAA violation.
RELATED: The Complete Guide to HIPAA Violations
RPMG claimed it did not comply because the records included psychotherapy notes, but the Privacy Rule states that denial must include a written explanation. Furthermore, the group could have sent the covered records. Neither was provided. RPMG finally sent the records (excluding the psychotherapy notes) in October 2020 after signing the resolution agreement, assenting to pay OCR $25,000 and enacting a corrective action plan.
CEs need to review their HIPAA-related policies and procedures to ensure they are compliant and remain compliant at all times. Without a doubt, right of access is about delivering proper patient care, which is why OCR and HIPAA provide crucial guidance.
SEE ALSO: HIPAA Compliant Email: the Definitive Guide