Will 50 Enforcement Actions Be Sufficiently “Loud and Clear” that HIPAA’s Right of Access Must Be Honored?

Because of pervasive misunderstanding of the Health Insurance Portability and Accountability Act (HIPAA), providers all too frequently create impermissible barriers to patient access to medical records. In many cases, such barriers are artificial, expressly prohibited, or reflect fundamental ignorance. As a result, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been consistently imposing enforcement actions on providers over access issues. The current tally: 50.   

The most recent right of access enforcement action involved a solo dentist’s denial of access to a single patient. Among other things, the dentist refused to send the patient’s records because the patient had not paid a $25 “administrative flat fee.” Ironically, the fee at issue was not even permissible under HIPAA because it was not “cost-based.” The dentist paid $70,000 to settle the matter.

In the press release for the dentist’s matter, OCR Director Melanie Fontes Rainer bluntly stated: “This investigation marks OCR’s 50th right of access enforcement action. Health care providers should get the message—loud and clear—when a patient seeks their medical information, you must provide it to them, period.”

Although privacy and security are HIPAA’s core elements, access to health information is critical because information is inherently necessary for a variety of reasons including health care decision-making. Yet, providers routinely deny access in myriad erroneous ways. Providers commonly violate HIPAA by:

• Failing to provide patients with access to their own records.
• Failing to provide parents with access to their children’s records.
• Failing to provide a right of access to an individual serving as an incapacitated patient’s authorized representative (also known as: agent, proxy, surrogate, power of attorney).
• Charging fees which do not represent “reasonable, cost-based fees.”
• Imposing burdensome administrative requirements for requests.
• Failing to transfer records to other providers.

To be sure, there are certain circumstances under HIPAA when denying access to health information is proper, particularly when safety is at issue. HIPAA contains important terms designed to protect against overreach. When refusing access, providers must explain their reasoning, and individuals must be provided rights to appeal.

Ultimately, the 50^th right of access claim ought to be a wake-up call for providers:

• OCR has taken an unambiguous position: the right of access is an enforcement priority.
• Patients must be afforded their access rights. Dispute options must be included in every entity’s “Notice of Privacy Practices” (which must be on the entity’s website) and must direct complaints to the OCR.

Although there is no mechanism for civil litigation to redress HIPAA violations, there should be no doubt that OCR is prepared to continue issuing enforcement actions when the right to access is improperly denied.