There’s a parallel here with the Subject Access Request (SAR, or sometimes DSAR for ‘Digital) under GDPR. The basic principle, whether for patient records or more general personal information, is that you need to be set up to provide timely and accurate (and redacted – you don’t want to inadvertently want to share anyone else’s information) information on request…:
On September 9, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had settled its first ever HIPAA enforcement action arising from alleged violations of the individual right to access health information under HIPAA. OCR entered into a settlement with Bayfront Health St. Petersburg (Bayfront) in response to allegations that it failed to provide a mother with timely access to medical records concerning her unborn child. Under the terms of a resolution agreement, Bayfront agreed to pay $85,000, and enter into a one year corrective action plan (CAP).
OCR initiated an investigation of Bayfront in response to a 2018 patient complaint. According to OCR’s investigation, the patient initially submitted a written request for fetal heart monitor records in October, 2017, and subsequently submitted follow-up requests through counsel in January and February of 2018. Bayfront allegedly did not provide a complete set of records to the patient’s counsel until August of 2018, and the patient reportedly did not receive the records directly until February, 2019. OCR’s investigation thus “indicated that Bayfront failed to provide access” to PHI about the patient in a designated record set, in accordance with 45 C.F.R. § 164.524. Bayfront did not admit liability as part of the resolution agreement.
Under the terms of the CAP, Bayfront is obligated to update its written access policies to comply with HIPAA, and provide HHS with access to those policies within 60 days for review and approval. The policies must include provisions addressing HIPAA’s right of access, as well as protocols for training of workforce members and sanctions for non-compliant workforce members. Bayfront will also be obligated to submit an implementation report within 120 days after receiving HHS approval of the policies and procedures, and an annual report that includes training materials on the new HIPAA policies and procedures, as well as attestations of compliance with the CAP’s requirements.
This enforcement action is part of OCR’s new “Right of Access Initiative” that is intended to “vigorously” ensure that patients are able to “receive copies of their medical records promptly and without being overcharged.” Health care providers and other entities subject to HIPAA would therefore be well-advised to review their policies and procedures for providing access to medical records, because potential violations of HIPAA’s right to access are under heightened governmental scrutiny at this time.