Filter By Service Area
Filter By Title
Filter By Office

Resources

OCR's "Right of Access" Enforcement Still Going Strong after Sixteenth Settlement to Date

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently settled its sixteenth enforcement action under HIPAA’s right of access provisions. OCR continues its focus on ensuring hospitals and other covered entities provide patients, and patients’ third-party designees, timely access to their medical records at a reasonable cost.

In the sixteenth settlement, the patient sent a written request on April 2, 2019 to Sharp Rees-Stealy Medical Centers (SRMC) requesting his protected health information (PHI) be sent to a third-party designee. On June 11, 2019, a complaint was filed with OCR alleging SRMC failed to provide the records as requested. Shortly thereafter, OCR provided technical assistance to SRMC and closed the case. However, on August 19, 2019, OCR received a follow up complaint against SRMC, alleging that the requested records had still not been provided to the third-party designee as requested. The requested records were eventually provided on October 15, 2019, over six months after the initial requested. OCR’s investigation concluded SRMC failed to timely respond to the patient’s request to have the PHI sent to the third-party designee as required under 45 C.F.R. § 164.524. As a result, SRMC agreed to pay $70,000 to settle the matter.

OCR’s enforcement of a patient’s right of access has been persistent over the past several years, with no signs of slowing down. The penalties associated with OCR’s enforcement action have ranged from $3,500 to $200,000, averaging approximately $67,000. In light of the continued right of access enforcement trend, hospitals should be mindful of several key points:

  • Hospitals must provide patients access to their PHI within 30 days of request.

  • The patient’s right of access includes the patient’s right to direct the hospital to send PHI to the patient’s third-party designee.

  • Unless an exception applies, hospitals must provide all records requested, not just some of the records.

  • The records to be produced include all requested records in the hospital’s designated record set, even if the records came from a third party and were not created by the hospital.

  • The hospital should produce the medical records in the form and format requested, if readily producible in that form and format.

  • Hospitals may only charge a reasonable, cost-based fee if the patient requests a copy of their PHI. The fee may only include supplies, postage and the actual cost of labor to produce the records. The fee may not include other costs, even if those costs may be authorized under State law.

There are a few additional highlights worth noting. First, while it is not clear from the OCR press release and related documents whether the patient’s attorney was the designated third party, the settlement nevertheless should be a caution in those cases. Attorneys are becoming frequent instigators of such actions. Second, and perhaps more importantly, had SRMC complied after OCR’s technical assistance, the sanctions would probably have been avoided.

For more information on the HIPAA right of access, hospitals should review the HHS guidance on Individual’s Right under HIPAA to Access their Health Information.

OCR's "Right of Access" Enforcement Still Going Strong after Sixteenth Settlement to Date

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently settled its sixteenth enforcement action under HIPAA’s right of access provisions. OCR continues its focus on ensuring hospitals and other covered entities provide patients, and patients’ third-party designees, timely access to their medical records at a reasonable cost.

In the sixteenth settlement, the patient sent a written request on April 2, 2019 to Sharp Rees-Stealy Medical Centers (SRMC) requesting his protected health information (PHI) be sent to a third-party designee. On June 11, 2019, a complaint was filed with OCR alleging SRMC failed to provide the records as requested. Shortly thereafter, OCR provided technical assistance to SRMC and closed the case. However, on August 19, 2019, OCR received a follow up complaint against SRMC, alleging that the requested records had still not been provided to the third-party designee as requested. The requested records were eventually provided on October 15, 2019, over six months after the initial requested. OCR’s investigation concluded SRMC failed to timely respond to the patient’s request to have the PHI sent to the third-party designee as required under 45 C.F.R. § 164.524. As a result, SRMC agreed to pay $70,000 to settle the matter.

OCR’s enforcement of a patient’s right of access has been persistent over the past several years, with no signs of slowing down. The penalties associated with OCR’s enforcement action have ranged from $3,500 to $200,000, averaging approximately $67,000. In light of the continued right of access enforcement trend, hospitals should be mindful of several key points:

  • Hospitals must provide patients access to their PHI within 30 days of request.

  • The patient’s right of access includes the patient’s right to direct the hospital to send PHI to the patient’s third-party designee.

  • Unless an exception applies, hospitals must provide all records requested, not just some of the records.

  • The records to be produced include all requested records in the hospital’s designated record set, even if the records came from a third party and were not created by the hospital.

  • The hospital should produce the medical records in the form and format requested, if readily producible in that form and format.

  • Hospitals may only charge a reasonable, cost-based fee if the patient requests a copy of their PHI. The fee may only include supplies, postage and the actual cost of labor to produce the records. The fee may not include other costs, even if those costs may be authorized under State law.

There are a few additional highlights worth noting. First, while it is not clear from the OCR press release and related documents whether the patient’s attorney was the designated third party, the settlement nevertheless should be a caution in those cases. Attorneys are becoming frequent instigators of such actions. Second, and perhaps more importantly, had SRMC complied after OCR’s technical assistance, the sanctions would probably have been avoided.

For more information on the HIPAA right of access, hospitals should review the HHS guidance on Individual’s Right under HIPAA to Access their Health Information.

OCR's "Right of Access" Enforcement Still Going Strong after Sixteenth Settlement to Date

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently settled its sixteenth enforcement action under HIPAA’s right of access provisions. OCR continues its focus on ensuring hospitals and other covered entities provide patients, and patients’ third-party designees, timely access to their medical records at a reasonable cost.

In the sixteenth settlement, the patient sent a written request on April 2, 2019 to Sharp Rees-Stealy Medical Centers (SRMC) requesting his protected health information (PHI) be sent to a third-party designee. On June 11, 2019, a complaint was filed with OCR alleging SRMC failed to provide the records as requested. Shortly thereafter, OCR provided technical assistance to SRMC and closed the case. However, on August 19, 2019, OCR received a follow up complaint against SRMC, alleging that the requested records had still not been provided to the third-party designee as requested. The requested records were eventually provided on October 15, 2019, over six months after the initial requested. OCR’s investigation concluded SRMC failed to timely respond to the patient’s request to have the PHI sent to the third-party designee as required under 45 C.F.R. § 164.524. As a result, SRMC agreed to pay $70,000 to settle the matter.

OCR’s enforcement of a patient’s right of access has been persistent over the past several years, with no signs of slowing down. The penalties associated with OCR’s enforcement action have ranged from $3,500 to $200,000, averaging approximately $67,000. In light of the continued right of access enforcement trend, hospitals should be mindful of several key points:

  • Hospitals must provide patients access to their PHI within 30 days of request.

  • The patient’s right of access includes the patient’s right to direct the hospital to send PHI to the patient’s third-party designee.

  • Unless an exception applies, hospitals must provide all records requested, not just some of the records.

  • The records to be produced include all requested records in the hospital’s designated record set, even if the records came from a third party and were not created by the hospital.

  • The hospital should produce the medical records in the form and format requested, if readily producible in that form and format.

  • Hospitals may only charge a reasonable, cost-based fee if the patient requests a copy of their PHI. The fee may only include supplies, postage and the actual cost of labor to produce the records. The fee may not include other costs, even if those costs may be authorized under State law.

There are a few additional highlights worth noting. First, while it is not clear from the OCR press release and related documents whether the patient’s attorney was the designated third party, the settlement nevertheless should be a caution in those cases. Attorneys are becoming frequent instigators of such actions. Second, and perhaps more importantly, had SRMC complied after OCR’s technical assistance, the sanctions would probably have been avoided.

For more information on the HIPAA right of access, hospitals should review the HHS guidance on Individual’s Right under HIPAA to Access their Health Information.

OCR's "Right of Access" Enforcement Still Going Strong after Sixteenth Settlement to Date

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently settled its sixteenth enforcement action under HIPAA’s right of access provisions. OCR continues its focus on ensuring hospitals and other covered entities provide patients, and patients’ third-party designees, timely access to their medical records at a reasonable cost.

In the sixteenth settlement, the patient sent a written request on April 2, 2019 to Sharp Rees-Stealy Medical Centers (SRMC) requesting his protected health information (PHI) be sent to a third-party designee. On June 11, 2019, a complaint was filed with OCR alleging SRMC failed to provide the records as requested. Shortly thereafter, OCR provided technical assistance to SRMC and closed the case. However, on August 19, 2019, OCR received a follow up complaint against SRMC, alleging that the requested records had still not been provided to the third-party designee as requested. The requested records were eventually provided on October 15, 2019, over six months after the initial requested. OCR’s investigation concluded SRMC failed to timely respond to the patient’s request to have the PHI sent to the third-party designee as required under 45 C.F.R. § 164.524. As a result, SRMC agreed to pay $70,000 to settle the matter.

OCR’s enforcement of a patient’s right of access has been persistent over the past several years, with no signs of slowing down. The penalties associated with OCR’s enforcement action have ranged from $3,500 to $200,000, averaging approximately $67,000. In light of the continued right of access enforcement trend, hospitals should be mindful of several key points:

  • Hospitals must provide patients access to their PHI within 30 days of request.

  • The patient’s right of access includes the patient’s right to direct the hospital to send PHI to the patient’s third-party designee.

  • Unless an exception applies, hospitals must provide all records requested, not just some of the records.

  • The records to be produced include all requested records in the hospital’s designated record set, even if the records came from a third party and were not created by the hospital.

  • The hospital should produce the medical records in the form and format requested, if readily producible in that form and format.

  • Hospitals may only charge a reasonable, cost-based fee if the patient requests a copy of their PHI. The fee may only include supplies, postage and the actual cost of labor to produce the records. The fee may not include other costs, even if those costs may be authorized under State law.

There are a few additional highlights worth noting. First, while it is not clear from the OCR press release and related documents whether the patient’s attorney was the designated third party, the settlement nevertheless should be a caution in those cases. Attorneys are becoming frequent instigators of such actions. Second, and perhaps more importantly, had SRMC complied after OCR’s technical assistance, the sanctions would probably have been avoided.

For more information on the HIPAA right of access, hospitals should review the HHS guidance on Individual’s Right under HIPAA to Access their Health Information.

OCR's "Right of Access" Enforcement Still Going Strong after Sixteenth Settlement to Date

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently settled its sixteenth enforcement action under HIPAA’s right of access provisions. OCR continues its focus on ensuring hospitals and other covered entities provide patients, and patients’ third-party designees, timely access to their medical records at a reasonable cost.

In the sixteenth settlement, the patient sent a written request on April 2, 2019 to Sharp Rees-Stealy Medical Centers (SRMC) requesting his protected health information (PHI) be sent to a third-party designee. On June 11, 2019, a complaint was filed with OCR alleging SRMC failed to provide the records as requested. Shortly thereafter, OCR provided technical assistance to SRMC and closed the case. However, on August 19, 2019, OCR received a follow up complaint against SRMC, alleging that the requested records had still not been provided to the third-party designee as requested. The requested records were eventually provided on October 15, 2019, over six months after the initial requested. OCR’s investigation concluded SRMC failed to timely respond to the patient’s request to have the PHI sent to the third-party designee as required under 45 C.F.R. § 164.524. As a result, SRMC agreed to pay $70,000 to settle the matter.

OCR’s enforcement of a patient’s right of access has been persistent over the past several years, with no signs of slowing down. The penalties associated with OCR’s enforcement action have ranged from $3,500 to $200,000, averaging approximately $67,000. In light of the continued right of access enforcement trend, hospitals should be mindful of several key points:

  • Hospitals must provide patients access to their PHI within 30 days of request.

  • The patient’s right of access includes the patient’s right to direct the hospital to send PHI to the patient’s third-party designee.

  • Unless an exception applies, hospitals must provide all records requested, not just some of the records.

  • The records to be produced include all requested records in the hospital’s designated record set, even if the records came from a third party and were not created by the hospital.

  • The hospital should produce the medical records in the form and format requested, if readily producible in that form and format.

  • Hospitals may only charge a reasonable, cost-based fee if the patient requests a copy of their PHI. The fee may only include supplies, postage and the actual cost of labor to produce the records. The fee may not include other costs, even if those costs may be authorized under State law.

There are a few additional highlights worth noting. First, while it is not clear from the OCR press release and related documents whether the patient’s attorney was the designated third party, the settlement nevertheless should be a caution in those cases. Attorneys are becoming frequent instigators of such actions. Second, and perhaps more importantly, had SRMC complied after OCR’s technical assistance, the sanctions would probably have been avoided.

For more information on the HIPAA right of access, hospitals should review the HHS guidance on Individual’s Right under HIPAA to Access their Health Information.

OCR's "Right of Access" Enforcement Still Going Strong after Sixteenth Settlement to Date

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently settled its sixteenth enforcement action under HIPAA’s right of access provisions. OCR continues its focus on ensuring hospitals and other covered entities provide patients, and patients’ third-party designees, timely access to their medical records at a reasonable cost.

In the sixteenth settlement, the patient sent a written request on April 2, 2019 to Sharp Rees-Stealy Medical Centers (SRMC) requesting his protected health information (PHI) be sent to a third-party designee. On June 11, 2019, a complaint was filed with OCR alleging SRMC failed to provide the records as requested. Shortly thereafter, OCR provided technical assistance to SRMC and closed the case. However, on August 19, 2019, OCR received a follow up complaint against SRMC, alleging that the requested records had still not been provided to the third-party designee as requested. The requested records were eventually provided on October 15, 2019, over six months after the initial requested. OCR’s investigation concluded SRMC failed to timely respond to the patient’s request to have the PHI sent to the third-party designee as required under 45 C.F.R. § 164.524. As a result, SRMC agreed to pay $70,000 to settle the matter.

OCR’s enforcement of a patient’s right of access has been persistent over the past several years, with no signs of slowing down. The penalties associated with OCR’s enforcement action have ranged from $3,500 to $200,000, averaging approximately $67,000. In light of the continued right of access enforcement trend, hospitals should be mindful of several key points:

  • Hospitals must provide patients access to their PHI within 30 days of request.

  • The patient’s right of access includes the patient’s right to direct the hospital to send PHI to the patient’s third-party designee.

  • Unless an exception applies, hospitals must provide all records requested, not just some of the records.

  • The records to be produced include all requested records in the hospital’s designated record set, even if the records came from a third party and were not created by the hospital.

  • The hospital should produce the medical records in the form and format requested, if readily producible in that form and format.

  • Hospitals may only charge a reasonable, cost-based fee if the patient requests a copy of their PHI. The fee may only include supplies, postage and the actual cost of labor to produce the records. The fee may not include other costs, even if those costs may be authorized under State law.

There are a few additional highlights worth noting. First, while it is not clear from the OCR press release and related documents whether the patient’s attorney was the designated third party, the settlement nevertheless should be a caution in those cases. Attorneys are becoming frequent instigators of such actions. Second, and perhaps more importantly, had SRMC complied after OCR’s technical assistance, the sanctions would probably have been avoided.

For more information on the HIPAA right of access, hospitals should review the HHS guidance on Individual’s Right under HIPAA to Access their Health Information.