Protect Your Lab against HIPAA Right of Access Liability Risks
Key points to educate your staff on when it comes to patient requests for test records and other protected health information.
Be sure that your lab’s medical records department responds promptly to patient requests for test records and other protected health information (PHI). While this isn’t a new requirement, it’s one of growing importance now that the HHS Office for Civil Rights (OCR) has made it a priority for Health Insurance Portability and Accountability Act (HIPAA) enforcement. Here’s a look at the liability risk and what you can do to manage it.
HIPAA Privacy Rule Access Response Rules
First, make sure your staff is clear on the right of access rules and timelines. Under the HIPAA Privacy Rule, labs and other covered entities have 30 calendar days to act on an individual’s request for access to their PHI. The clock begins ticking when you actually receive the request. If you need more time to act on the request, you can seek an extension of 30 more calendar days as long as the lab or other entity provides the requestor a written statement listing the reasons for the delay and the date by which it will complete its action in processing the request. These timelines apply even if your lab doesn’t maintain the PHI that the individual requests but instead relies on a business associate to maintain the data on your behalf. Also keep in mind that the 30-day response deadline clock starts ticking on the date the lab receives the request, rather than the date you forward the request to the business associate. Thus, by the time the business associate gets the request from you, precious time might have already been lost. Nor does your lab get an extension for negotiating with the individual on the scope or format of the request. In other words, the clock still begins on the date of receipt, rather than the date negotiations end. Compliance Pointer: Recognize that the federal HIPAA rules are minimum requirements and that states can impose shorter deadlines and more stringent requirements. So, be sure to check the rules of your own state.The HIPAA Right of Access Initiative
Historically, the OCR, the agency in charge of enforcing the HIPAA Privacy Rule, has focused on unlawful collection, use, and disclosure, and provider efforts to keep PHI private and secure. But in April 2019, the agency announced a new enforcement initiative focusing on the rule’s right of access provisions. Less than six months later, the OCR handed down its first ever fine to a provider for failing to comply with its right of access obligations. By January 2021, total right of access fines reached 14. Change in administration hasn’t resulted in change of enforcement policy. The Biden administration OCR has now issued 13 right of access fines, including a whopping $160,000 penalty, tied for the second biggest under the initiative. The momentum has continued with two more right of access fines issued in March, bringing the total to 27. Here’s a Scorecard of all announced settlements to date.OCR Right of Access Initiative Settlements Scorecard (as of April 8, 2022)
| Provider | Settlement Amount* | Allegations |
|---|---|---|
| Banner Health ACE | $200,000 | OCR cites two occasions in which Phoenix-based not-for-profit health system took about 6 months to provide patients their requested PHI |
| Rainrock Treatment Center, LLC dba Monte Nido Rainrock | $160,000 | Florida eating treatment disorder took more than 8 months to fulfill patient’s request for a copy of her medical records |
| St. Joseph’s Hospital and Medical Center | $160,000 | Phoenix hospital refused to provide PHI to patient’s mother even though she was his legal representative |
| Dr. Robert Glaser | $100,000 | New York cardiovascular disease and internal medicine doctor didn’t cooperate with OCR’s investigation or respond to its data requests after not providing patient a copy of their medical record |
| NY Spine Medicine | $100,000 | Neurology practice refuses patient’s multiple requests for copies of specific diagnostic films |
| Bayfront Hospital | $85,000 | Florida hospital didn’t provide expectant mother timely access to the PHI of her unborn child |
| Korunda Medical | $85,000 | After first refusing to provide it at all, Florida primary care and interventional pain management services provider sent patient’s PHI to third party in the wrong format and charged him excessive fees |
| Children’s Hospital & Medical Center | $80,000 | Nebraska hospital failed to provide mother of minor patient timely access to her daughter’s medical records, despite repeated requests |
| Renown Health, P.C. | $75,000 | Nevada private, not-for-profit health system didn’t timely honor patient’s request to transfer her EHR and billing records to a third party |
| Sharp Rees-Stealy Medical Centers | $70,000 | California hospital and health care network didn’t timely honor request to transfer patient’s EHR to a third party |
| Beth Israel Lahey Health Behavioral Services | $70,000 | Massachusetts provider ignored request of personal representative seeking access to her father’s PHI |
| Arbour Hospital | $65,000 | Massachusetts mental health services provider kept patient waiting 5 months before granting access to his PHI |
| University of Cincinnati Medical Center, LLC | $65,000 | Ohio academic medical center failed to respond to patient’s request to send an electronic copy of her medical records maintained in its electronic health record EHR to her lawyers |
| Housing Works Inc. | $38,000 | New York City non-profit services provider refused patient’s request for a copy of his medical records |
| Peter Wrobel, M.D., P.C., dba Elite Primary Care | $36,000 | Georgia primary care practice failed to provide patient access to his medical records |
| *Advanced Spine & Pain Management | $32,150 | Ohio pain services provider took nearly 4 months to provide patient requested medical records |
| Dr. Donald Brockley, D.D.M | $30,000 | Pennsylvania solo practitioner dentist failed to provide a patient a copy of their medical record |
| Denver Retina Center | $30,000 | Colorado ophthalmological services provider took 8 months to provide requested medical records and lacked compliant access policies |
| Village Plastic Surgery | $30,000 | New Jersey practice failed to provide patient timely access to his medical records |
| Jacob and Associates | $28,000 | Psychiatric practice with two offices in California failed to provide a patient requested access to her medical records, ignoring her annual requests for five years in a row |
| Riverside Psychiatric Medical Group | $25,000 | California medical group didn’t provide patient copy of her medical records despite repeated requests and OCR intervention |
| Dr. Rajendra Bhayani | $15,000 | NY physician didn’t provide patient her medical records even after OCR intervened and closed the complaint |
| All Inclusive Medical Services, Inc. | $15,000 | California multi-specialty family medicine clinic refused patient’s requests to inspect and receive a copy of her records |
| Wake Health Medical Group | $10,000 | North Carolina primary care provider never furnished requested records despite charging patient $25 access fee |
| Wise Psychiatry, PC | $10,000 | Colorado psychiatric firm refused to provide personal representative access to his minor son’s medical record |
| Diabetes, Endocrinology & Lipidology Center, Inc. | $5,000 | West Virginia diabetes clinic made the mother of a minor patient wait nearly 2 years for access to his medical records |
| King MD | $3,500 | Virginia psychiatric practice didn’t provide patient access to her medical records even after OCR intervened, provided technical assistance, and closed the complaint |
*In addition to the monetary settlement, each accused provider had to agree to implement a corrective action plan and allow the OCR to conduct close monitoring for one to two years
Preventing Liability
The key to protecting your own lab from liability is to educate your staff on how and when to respond to patient and OCR PHI access requests. Being sure that people who receive requests understand the timelines and urgency involved is part of the solution. Another best practice is to prepare staffers to field patient questions about their access rights. “Record access disputes are often the product of miscommunication and patient misunderstanding over what they are and are not entitled to expect,” notes a Washington, DC, HIPAA compliance consultant who asked to remain nameless. One effective strategy is to prepare a script of patient FAQs and how to respond to each of them, like the Model Script on page 12 and the Laboratory Compliance Advisor webpage.Implementation Strategy
Give copies of the script to front line staff who routinely field patient PHI access questions, including any person who has face-to-face, phone, or remote contact with patients. Warn staffers not to panic or freelance an answer if and when a patient asks a tough question that the script doesn’t address but instead refer the question to your lab’s privacy officer or other privacy contact, which should be listed on your Notice of Privacy Practices (NPP).Subscribe to view Essential
Start a Free Trial for immediate access to this article