Provider confusion is often the cause of patient access rights violations

Significant changes are being made to the way patients can access their health information in a timely manner. On February 12, 2021, the U.S. Department of Health and Human Services Civil Rights Office (OCR) announced the 16th enforcement action resolution in its HIPAA right of access initiative. The amounts of these settlements vary, and many more settlements can follow for a variety of reasons.

In this case, Sharp HealthCare agreed to take corrective action and pay $ 70,000 to fix a possible violation of the HIPAA privacy rule’s access rights standard. The California-based company provides health care through 4 acute care hospitals, 3 specialty hospitals, 3 affiliated medical groups, and a health plan. In June 2019, OCR filed a complaint alleging the company failed to take timely action to respond to a patient’s request for access to medical records in which an electronic copy of Protected Health Information (PHI) was stored in an electronic Health record (EHR) was sent to a third page.

OCR provided technical support to the company with the requirements for HIPAA access law. In August 2019, OCR received a second complaint alleging the company had still not responded to the patient’s request for access to medical records. OCR opened an investigation and determined that the company’s failure to access requested medical records in a timely manner was a possible violation of the HIPAA standard for right of access.

As a result of the OCR investigation, access to the requested records has been completed. “Patients have the right to timely access to their medical records. OCR launched the Right of Access initiative to enforce and support this critical right, ”said incumbent OCR Director Robinsue Frohboese in a press release. In addition to cash settlement, the California company will be running a corrective action plan that includes a two-year monitoring process.

Ritu Agarwal, PhD, distinguished university professor at the University of Maryland’s Robert H. Smith School of Business at College Park and co-director of the school’s Center for Health Information and Decision-Making Systems (CHIDS), said current settlements and suggested corrective actions are in place long overdue. “It is difficult to comment on the size of the settlement without better understanding the loss of the inquiring patient,” said Dr. Agarwal.

Higher billing amounts possible

Elizabeth G. Litten, chief privacy and HIPAA compliance officer for the law firm Fox Rothschild LLP in Princeton, New Jersey, said many providers are unclear when a request is made by a person based on HIPAA authorization versus HIPAA access will request, especially if a patient wants records to be sent to a third party. “These combined factors have resulted in a ‘perfect storm’ for non-compliance so the number of OCRs and settlements is not surprising,” Litten said. “The relatively low billing amounts are likely due to the fact that many cases of non-compliance are due to supplier confusion rather than negligence or willful non-compliance.”

She expects the investigations and settlements to continue, especially as the National Coordinator of Health Information Technology (ONC) lockout rules come into effect and individuals request access through health apps and other newer technologies. “We may see higher billing amounts if large covered companies or business partners don’t allow access under HIPAA and ONC rules,” said Litten.

New rules proposed

In a notice of the proposed rule-making, first announced in December 2020 and published in the federal register in January 2021, HHS proposed changes to the HIPAA rules. According to Litten, some of the proposed changes are intended to provide more clarity on how to respond to access requests. “The proposed rules, if adopted, help somewhat, but more clarity is needed on the difference between HIPAA entitlements and HIPAA access requirements,” Litten said.

HIPAA entitlements typically allow certain PHI elements to be disclosed to certain recipients, must contain specific provisions, and do not imply any HIPAA fee restrictions or response times. HIPAA access requirements generally allow disclosure of all PHI contained in a specified record, do not require specific regulations, and imply fee limits and response times.

Attorney Joseph Lazzarotti of the Jackson Lewis PC law firm in Berkeley Heights, New Jersey, said OCR enforcement has been somewhat sporadic, which may explain some of the lack of technical compliance. “The compliance effort is considerable, especially for smaller providers. The billing amounts are not insignificant, [so] The question is whether the enforcement message reaches the audience, ”said Lazzarotti.

Patient authorization

Dr. Agarwal said there are numerous examples of adverse consequences associated with health information breaches, including discrimination and denial of employment. “Unfortunately, the rules and regulations have not evolved with the rest of the healthcare industry, which is increasingly focused on patient empowerment and engagement as a key element of health and wellbeing,” said Dr. Agarwal.

Patient empowerment begins with personal health information owned by the patient and should be accessible without hindrance or hindrance. However, this is not always the case. Consider this analogy with financial information: How would you feel if you couldn’t easily find out what your bank balance is? Or whether your deposit has been cleared? Or how much do you owe your credit card? “Dr. Agarwal said.

She said there has been an accelerated digitization of the healthcare industry that began more than two decades ago. With the widespread use of EHR systems, providers have relatively easy access to patient health information and can facilitate patient access. The changes proposed by OCR will cut the response time required by healthcare providers by half, from 30 to 15 calendar days. Therefore, there may be a higher likelihood of breaking the law and more complaints from patients, ”said Dr. Agarwal.

The HIPAA rules were developed in 1996 when the internet was new. At the time, many patients and providers were concerned about the misuse of the Internet in the dissemination of sensitive health information. More than 20 years later, according to Guodong (Gordon) Gao, PhD, MBA, also at the Robert H. Smith School of Business, where he is Professor and Co-Director of CHIDS, the situation has changed significantly.

“In the age of big data and 5G, some of the original HIPAA rules make it difficult for patients to share information with their family members and coordinate providers among themselves. Also, due to HIPAA restrictions, providers are reluctant to use novel channels for the delivery of care products such as telemedicine, ”said Dr. Gao.

Patient Health Data “Like a Gold Mine”

The current wave of artificial intelligence (AI) is based on the use of extensive data. The use of AI presents significant challenges that need to be addressed. “Patient health data is like a gold mine,” said Dr. Gao. “For a“ fair use ”of the data, further changes must be made to the HIPAA so that the algorithms can learn from it. This can lead to better decision support for doctors that will benefit all of us.

“In no case,” he continued, “are we suggesting weakening privacy protection.” Rather, through the use of technology, we can achieve the dual goal of improving privacy protection and exchanging information for better care. ”


OCR Completes Sixteenth HIPAA Initiative Inquiry into Right of Access. Health and social services; February 12, 2021.

This article originally appeared in the Renal and Urology News

Related Articles