Under the Health Insurance Portability and Accountability Act (“HIPAA”), people have the suitable, with some restricted exceptions, to entry their protected well being info (PHI) maintained in a delegated file set by a lined entity or the lined entity’s enterprise affiliate. The HIPAA Privacy Rule permits people to examine or receive a replica of the PHI, in addition to to instruct the lined entity to transmit the person’s PHI to a delegated particular person or entity. HIPAA presently requires a lined entity to reply to an particular person’s proper of entry request inside 30 days after receipt of the request, with an choice for a thirty day extension upon offering a written rationalization with the date by which the entity will full the request to the requesting particular person. A lined entity’s failure to well timed reply to an particular person’s proper of entry request is taken into account a violation of the HIPAA Privacy Rule.
In 2019, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR), introduced the creation of its Right of Access Initiative, meant to assist people’ proper of well timed entry to their well being data. Since the creation of the Right of Access Initiative, there was substantial enforcement exercise associated to lined entities’ alleged failures to offer people with well timed entry to their well being data. At current time, OCR has settled 18 investigations associated to its Right of Access Initiative. Since the start of 2021 by the top of April 2021, 5 of the six OCR-announced settlements have involved the HIPAA Right of Access Initiative, and embody as follows:
- On January 12, 2021, OCR introduced that Banner Health agreed to take corrective actions and pay $200,000 to settle potential violations of the HIPAA Privacy Rule’s proper of entry normal. OCR obtained two complaints filed towards Banner Health entities alleging violations of the HIPAA Right of Access normal. The first grievance alleged that an particular person requested entry to her medical data in December of 2017 however didn’t obtain the data till May 2018. The second grievance alleged that an particular person requested entry to his data in September 2019 however the data weren’t obtained till February 2020.
- On February 10, 2021, OCR introduced that Renown Health, P.C. agreed to take corrective actions and pay $75,000 to settle a possible violation of the HIPAA Privacy Rule’s proper of entry normal. OCR obtained a grievance alleging that Renown Health didn’t well timed reply to a affected person’s request that an digital copy of her protected well being info, together with billing data, be despatched to a 3rd get together.
- On February 12, 2021, OCR introduced that Sharp HealthCare agreed to take corrective actions and pay $70,000 to settle a possible violation of the HIPAA Privacy Rule’s proper of entry normal. OCR obtained a grievance alleging that Sharp HealthCare didn’t well timed reply to a affected person’s data entry request directing that an digital copy of the affected person’s digital well being file be despatched to a 3rd get together. OCR supplied Sharp HealthCare with technical help on the HIPAA Right of Access necessities. Subsequently, OCR obtained a second grievance alleging that Sharp HealthCare nonetheless had not responded to the affected person’s data entry request. OCR initiated an investigation and decided that Sharp HealthCare failed to offer well timed entry to the requested medical data.
- On March 24, 2021, OCR introduced that Arbour Hospital (“Arbour”) agreed to take corrective actions and pay $65,000 to settle a possible violation of the HIPAA Privacy Rule’s proper of entry normal. OCR obtained a grievance alleging that Arbour didn’t take well timed motion in response to a affected person’s data entry request, and supplied Arbour with technical help concerning the HIPAA Right of Access necessities. Subsequently, OCR obtained a second grievance alleging that Arbour nonetheless had not responded to the identical affected person’s data entry request. OCR initiated an investigation and decided that Arbour failed to offer well timed entry to the requested medical data.
- On March 26, 2021, OCR introduced that Village Plastic Surgery (“VPS”) agreed to take corrective actions and pay $30,000 to settle a possible violation of the HIPAA Privacy Rule’s proper of entry normal. OCR obtained a grievance alleging that VPS didn’t take well timed motion in response to a affected person’s data entry request. OCR’s investigation revealed that VPS didn’t well timed reply to the affected person’s request.
In addition to the current proper of entry enforcement actions, on January 21, 2021, HHS launched proposed modifications to the HIPAA Privacy Rule that, if handed, will affect an particular person’s proper of entry. HHS is proposing to switch the HIPAA Privacy Rule to shorten a lined entity’s response time for proper of entry requests to no later than 15 calendar days (with the chance of a one-time 15 calendar day extension). HHS can be proposing to expressly prohibit a lined entity from imposing unreasonable measures on an particular person exercising the suitable of entry that create a barrier of entry or unreasonably delay. An unreasonable measure would come with, for instance, requiring the use of a type that requests in depth info from the person that will not be actually essential to satisfy the request. The remark interval for the proposed rule adjustments closed on May 6, 2021.
It stays to be seen whether or not HHS will enact the proposed modifications associated to an particular person’s proper of entry beneath the HIPAA Privacy Rule. Nonetheless, lined entities ought to proceed to make sure people have well timed entry to their well being data or threat pricey enforcement motion.
