Be sure that your lab’s medical records department responds promptly to patient requests for test records and other protected health information (PHI). While this isn’t a new requirement, it’s one of growing importance now that the HHS Office for Civil Rights (OCR) has made it a priority for Health Insurance Portability and Accountability Act (HIPAA) enforcement. Here’s a look at the liability risk and what you can do to manage it.

HIPAA Privacy Rule Access Response Rules

First, make sure your staff is clear on the right of access rules and timelines. Under the HIPAA Privacy Rule, labs and other covered entities have 30 calendar days to act on an individual’s request for access to their PHI. The clock begins ticking when you actually receive the request. If you need more time to act on the request, you can seek an extension of 30 more calendar days as long as the lab or other entity provides the requestor a written statement listing the reasons for the delay and the date by which it will complete its action in processing the request. These timelines apply even if your lab doesn’t maintain the PHI that the individual requests but instead relies on a business associate to maintain the data on your behalf. Also keep in mind that the 30-day response deadline clock starts ticking on the date the lab receives the request, rather than the date you forward the request to the business associate. Thus, by the time the business associate gets the request from you, precious time might have already been lost. Nor does your lab get an extension for negotiating with the individual on the scope or format of the request. In other words, the clock still begins on the date of receipt, rather than the date negotiations end. Compliance Pointer: Recognize that the federal HIPAA rules are minimum requirements and that states can impose shorter deadlines and more stringent requirements. So, be sure to check the rules of your own state.

The HIPAA Right of Access Initiative

Historically, the OCR, the agency in charge of enforcing the HIPAA Privacy Rule, has focused on unlawful collection, use, and disclosure, and provider efforts to keep PHI private and secure. But in April 2019, the agency announced a new enforcement initiative focusing on the rule’s right of access provisions. Less than six months later, the OCR handed down its first ever fine to a provider for failing to comply with its right of access obligations. By January 2021, total right of access fines reached 14. Change in administration hasn’t resulted in change of enforcement policy. The Biden administration OCR has now issued 13 right of access fines, including a whopping $160,000 penalty, tied for the second biggest under the initiative. The momentum has continued with two more right of access fines issued in March, bringing the total to 27. Here’s a Scorecard of all announced settlements to date.

OCR Right of Access Initiative Settlements Scorecard (as of April 8, 2022)

*In addition to the monetary settlement, each accused provider had to agree to implement a corrective action plan and allow the OCR to conduct close monitoring for one to two years

Preventing Liability

The key to protecting your own lab from liability is to educate your staff on how and when to respond to patient and OCR PHI access requests. Being sure that people who receive requests understand the timelines and urgency involved is part of the solution. Another best practice is to prepare staffers to field patient questions about their access rights. “Record access disputes are often the product of miscommunication and patient misunderstanding over what they are and are not entitled to expect,” notes a Washington, DC, HIPAA compliance consultant who asked to remain nameless. One effective strategy is to prepare a script of patient FAQs and how to respond to each of them, like the Model Script on page 12 and the Laboratory Compliance Advisor webpage.

Implementation Strategy

Give copies of the script to front line staff who routinely field patient PHI access questions, including any person who has face-to-face, phone, or remote contact with patients. Warn staffers not to panic or freelance an answer if and when a patient asks a tough question that the script doesn’t address but instead refer the question to your lab’s privacy officer or other privacy contact, which should be listed on your Notice of Privacy Practices (NPP).