The Office for Civil Rights started 2021 off with another settlement of alleged non-compliance with the HIPAA right of access. The settlement, as noted by OCR, is the 14th right of access settlement since OCR began its targeted focus on this issue in late 2019. The message should be a bit unavoidable at this point in time, namely that individuals have the right to access their own health information and unnecessary hurdles or delays should not be put in the way.
The newest settlement (and first of 2021) involves Banner Health in Arizona. The settlement actually identifies two separate incidents where Banner Health reportedly did not respond in a timely manner. The first incident saw a request submitted in December of 2017 and records were not provided until May of 2018. The complaint to OCR in that case was sent in August of 2018. The second incident saw two requests submitted by the same individual in July and September of 2019. In that instance, Banner Health did not provide records until February 2020, after a complaint was submitted to OCR in January 2020.
The resolution agreement does not provide any other detail than to suggest that in both instances an attorney’s office requested the records on behalf of the individual. HIPAA clearly allows an individual to direct that information be provided to a third party or for the third party to submit the request on behalf of the individual. Leaving aside arguments around the fee for the request that can be charged in those different instances, the mere fact that an attorney sent in the request should not impact the timeliness of a response to the request.
Further, while no delay should occur, the amount of time involved in the two examples cited by OCR does not necessarily seem as bad as revealed in other resolutions. Again, while delays should not happen, only citing two instances for what is a large system also does not seem particularly egregious. Those issues along with the facts cited above make it hard to understand the $200,000 fine, other than Banner Health is a big system that can more readily afford to pay a penalty in that amount.
While it is likely a vain hope, it would be helpful to get more facts to see if there is more to the situation than just two untimely responses that lead to complaints being filed with OCR. Accordingly, the resolution arguably leaves an unsettled picture and no clear understanding as to when, why, or how OCR will seek to impose a monetary penalty over a right of access request that is not filled when it should be. Despite the uncertainty, it is clear that the right of access should be respected and followed as set out in the HIPAA regulations.
Potentially Pending Changes
What is the overall direction for the right of access on top of the constantly growing number of resolutions with payments? The noticed proposed rule for tweaking HIPAA provides some additional insights. A significant portion of the proposed rule (as yet unpublished in the Federal Register as of this blog publishing on January 13, 2021) implements guidance around the right of access that has been provided over the years by OCR along with addressing on the ground concerns about hurdles to the right of access.
Doubling down on timeliness of responding to requests, the proposed rule seeks to shorten the response time to 15 days (with a possibility of one 15 day extension) in alignment with other movements to more immediate access whether through the coming information blocking rules or state level requirements. If organizations struggle to respond with 30 days, times could get tougher with even less time, though hopefully the increasing general awareness around the issue can spur positive changes.
Another significant portion of the proposed rule is to remove unnecessary hurdles to the patient in making the request and then being able to get the results of the review. The initial upfront step focuses on the nature of the request itself. OCR reminds in the preamble to the proposed rule and in the changes that organizations should not be trying to make it overly difficult for an individual to submit a request. That means not rejecting all forms but an organization’s own form or imposing over the top signature requirements (imposing a notary requirement is cited in the commentary) that cause frustration and upfront delay before even being able to get to the content of the request itself.
Going to the end fo the request process, the scope of fee imposed on individuals can often be quite high and pose a real financial barrier even once the records have been compiled. OCR is seeking to fully implement a reasonable fee structure that had been initially set out a few years ago through sub-regulatory guidance (meaning statements that did not go through the formal rulemaking process and do not really have the full force of law). The bottomline message on the fee changes is that individuals should not be charged exorbitant fees and must be quite limited in what can form the basis of the fee (looking mostly at reasonable labor costs for copying the records or preparing the request).
Recognizing changes enacted through the information blocking regulations, the proposed rule also specifically calls out the ability to have a request direct information to a third party application, most likely some form of a personal health record. Since the information blocking rule allows for such connections, it only makes sense for the HIPAA right of access to go in the same direction.
The Big Picture
Looking at the settlements, proposed rule, and growing sentiment among individuals all together, it is clear that individuals want access to their own information. Many new privacy schemes seem to approach the issue from that ideal and then work backward a little bit to recognize what may be necessary for business functioning. However, the basic message is that people should be entitled to access their own data without road blocks being put in the way all of the time.
All of the developments are positive movements, but it is also important to remember that there are many steps left to address. When discussing access and barriers, it is easy to focus solely on HIPAA, but forgetting the impact of state law can be dangerous because state law may be the real source of frustration even though HIPAA is blamed. Ensuring that a comprehensive understanding is taken when considering and developing ideas for moving ahead is important (if not essential). Ultimately, enacting change that helps everyone requires every interested and impacted party to be involved in the development of new systems and requirements. Will that happen? Only time will tell.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.