Deny Patient Access at Own Risk

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

The Office for Civil Rights (OCR) continues its recent attention to enforcing an individual’s right of access under HIPAA. The latest step is the concurrent announcement of five settlements with various entities for alleged failures to provide records upon request. The new settlements build upon the chain that start in September 2019 when OCR imposed the first settlement premised upon a denial of access.

The latest examples are:

  1. Housing Works, Inc. – A non-profit organization providing healthcare, job training, legal aid support and other services primarily to homeless individuals. In July 2019 OCR received a complaint about an individual not having a request for access honored. OCR in turn provided technical assistance, which is not an unexpected outcome. Immediately following the technical assistance though, Housing Works again did not provide timely access, which issue was flagged in an August 2019 complaint. As a result of the failure to provide access, a $38,000 settlement resulted. Arguably the short period of time between the complaints fed into the push to a monetary resolution.
  2. All Inclusive Medical Services, Inc. (AIMS) – AIMS is a multi-specialty clinic covering an array of services. A patient filed a complaint with OCR after AIMS allegedly refused to provide the patient access to records and also subsequently denied a request to inspect the record. The double whammy of denying the patient both a copy and access to review seems to have fed into the $15,000 settlement.
  3. Northeast Behavioral Health Corporation (d/b/a Beth Israel Lahey Health Behavioral Services) (BILHBS) – BILHBS is a network of substance use disorder and mental health services. OCR received a complaint that an adult child was not provided with a copy of their parent’s medical record. The complaint was received in April 2019 and the records were only released in October 2019 after intervention by OCR. Without any other background facts, a settlement of $70,000 was reached.
  4. Patricia King MD & Associates (King) – King is a psychiatric care provider group. In October 2018 a complaint was received by OCR about a patient not being able to access their records. As with Housing Works, OCR provided technical assistance. Also like Housing Works, a second complaint was filed in February 2020, by the same individual, that access had still not been provided. The records did not end up being released until July 2020 after an OCR investigation. The actions resulted in a $3,500 settlement.
  5. B. Wise Psychiatry, P.C. (Wise) – Wise is a psychiatry practice providing direct patient care. In February 2018 a personal representative filed a complaint over not being provided with a request copy of a minor child’s medical records. OCR again attempted to go the route of technical assistance. As with the other examples, technical assistance did not result in the right outcome and the same personal representative filed a second complaint in October 2018. Following an investigation, the records were finally released in May 2019, well over a year and a half after initially being requested. For the blocking, Wise entered into a settlement for $10,000.

Leaving aside the still puzzling means of determining settlement amounts for the moment, the fact patterns across the examples a strikingly similar. An individual requests access, gets a bit of a runaround, files a complaint, still waits, and then finally after an extended period of time gets access to the records. Given the innumerable anecdotes around trouble getting access to records, it can be suspected that the incidents covered by the complaints were not isolated incidents at the organizations. Oftentimes, even if not intentional, denial of access becomes a frustrating routine. The round and round nature of the fight for access has become a specific point of contention for individuals. It is unclear why so many barriers are thrown up when the HIPAA Privacy Rule is quite clear on both the process and time for responding.

The transition to electronic records highlights the issues even more. When records are maintained electronically, modifications to the right of access that occurred through the HITECH Act enable individuals to request an electronic copy, if the records are maintained electronically. Since the vast majority of hospitals and physician groups have transitioned to electronic medical records at this point in time, most if not all requests should be able to seek an electronic copy. However, some request forms will not even identify that an electronic copy is an option. The electronic access issue represents another area of either misinterpretation or lack of awareness.

On the issue of the settlement amounts, it is a bit striking that the dollar amounts are so low. Penalty amounts are driven by the number of incidents and the severity of the incident. Each of the new settlements only involve one patient, which could be one means of insight into the low dollar values aside from BILHBS. However, a couple of the settlements arguably involved knowing and deliberate action since continued non-compliance with the right of access occurred after receiving technical assistance from OCR. In those instances, it would be tough, if not impossible, to argue that the organization was unaware of obligations or did not fully appreciate what needed to occur. At some point, it would be helpful to understand the process by which OCR determines settlement amounts, though it is fully acknowledged that such a wish will in all likelihood remain forever unfulfilled.

What Comes Next?
The next step for covered entities (and probably business associates) should be a refresher on right of access requirements and improving practices for facilitating as opposed to hindering access. Since the right of access is not a new requirement under HIPAA that could be a bit of an overly optimistic hope. If rights have not been respected up to this point, then why would practices change overnight.

Stepping up compliance efforts most likely can be enhanced through better training and education. The axiom that compliance cannot happen without firm knowledge applies in this context too. The training on the right of access should also focus on collaboration since a request may travel across multiple departments or groups within an organization.

Improving responsiveness to requests for access can also impact an organization’s reputation. If record access is denied, those actions could begin showing up in reviews or comments about the organization. Reviews cannot be ignored since individuals increasingly turn to online reviews for purposes of vetting clinicians. Negative comments around a right of importance could sway decisions.

What could drive more systemic change? The fear of bigger penalties. If OCR were to take a leap and impose a large dollar penalty on an organization from a right of access complaint, then more focused attention could result. Even the $70,000 penalty to BILHBS will not cause a large organization much pain as that amount would be easily covered and could be less than the time and cost involved in enhancing employee education or other steps to implement change. However, rising dollar amounts would likely change that calculus and could achieve the proper outcome. As the saying goes, money talks.

Another factor impacting the future for right of access are the upcoming opening requirements that are part of the information blocking rules. Even though enforcement is being delayed, compliance must start soon, which includes extensive opportunities for individuals to seek access to their own information. If organizations are confused by HIPAA and its right of access, the advent of new rules could provide the chance to start afresh from the right foot.

Patient Preference and Technology
What may actually be the game changer is the stronger patient voice and access to technology. Patients are clearer with expectations along with the ability to connect new forms of technology or more easily seek a new place or venue for care delivery. The concern of losing patients and arguably the more intuitive means of granting access could be a turning point. The patient engagement and consumerism tides seem to support a more equal playing field, which is well symbolized by access to and control over a broad swath of health data.

The stronger patient voice is showing up in social media and through the growing patient advocacy or support industry. While the advocacy and statements on social media may not represent a broad based voice at the current moment, the views will continue to spread and be recognized by more individuals. Prevalence and visibility can improve the odds of anyone finding and being able take up the same position.

As noted, technology is also an important factor. The information blocking regulations require enable third party application interfaces to hook into data feeds, which are meant to pull data for the benefit of individuals. That process builds upon the many solutions targeted to individuals for purposes of collecting, collating, and finding value in healthcare data. While individuals are encouraged to produce a lot of their own data in those applications, formal data from a healthcare organization is also expected to play a role. The broader scope of healthcare data also means creating a more comprehensive picture of individuals that includes information from all parts of an individual’s life.

The Takeaway
Time will tell on the patient front, but it does seem to be an area with the most promise as there is not much precedent to sway an outcome in one direction or the other. One thing is clear though, organizations must and should honor a request for access because even though HIPAA mandates that outcome, OCR could also be coming with a fine now too.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.