OCR Focusing on Enforcing Patients’ Rights to Access

In a Bloomberg Law article regarding last month’s National Health Insurance Portability and Accountability Act (HIPAA) Summit, reporter James Swann notes that the Federal Government plans to increase its enforcement efforts relating to patients’ rights to access their medical records. Roger Severino, Director of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), stated that the continued focus on enforcement is “part of the Trump administration’s goal of empowering patients to make their own medical decisions.” Further, Severino indicated that the OCR’s ongoing privacy audits may shift from being educational in nature toward more of an enforcement focus.

Additional information on the OCR website supports the notion that the agency’s enforcement actions are growing. The OCR concluded calendar year 2018 with the highest record for HIPAA enforcement activity.  In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million from enforcement actions. Since the compliance date of the Privacy Rule in April 2003, OCR has received over 199,485 HIPAA complaints and has initiated over 928 compliance reviews. As of January 31, 2019, the most investigated compliance issues include (in order of frequency):

1. Impermissible uses and disclosures of Protected Health Information (PHI);
2. Lack of PHI safeguards;
3. Lack of patient access to their PHI;
4. Lack of administrative safeguards of electronic PHI; and
5. Use or disclosure of more than the minimum necessary PHI.

Generally, the HIPAA Privacy Rule requires covered entities to provide an individual, upon request, with access to their PHI in one or more designated record sets maintained by, or for, the covered entity.  Covered entities are required to provide such access to the individual within 30 calendar days from receiving the individual’s request. Over the past several years, the OCR has released additional guidance regarding individuals’ rights under HIPAA to access health information.

Covered entities should continue to: 1) ensure that policies and procedures around patient’s rights are up to date with the current HIPAA Rules and the OCR guidance; 2) monitor and audit patient requests for their health information to ensure they are processed within 30 days and in accordance with the HIPAA Privacy Rule; and 3) integrate patient rights into HIPAA education and training.

For assistance with your HIPAA Privacy Program, contact Lisa Shuman, MPA, CHC, CHPC, CHRC ([email protected]) or Catie Heindel, JD, CHC, CHPC, CHPS ([email protected]).

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.