Legal Alert

HIPAA Right to Access Information Enforced

September 11, 2019

With all of the attention on Health Insurance Portability and Accountability Act (HIPAA) requirements to safeguard the privacy and security of a patient’s health information, covered entities sometimes overlook the HIPAA provisions that give patients rights to their information. This includes a patient’s right to access his or her medical and billing records from providers and records in areas spanning billing, enrollment, payment, claims adjudication, medical management, and care decisions from health plans.

Earlier this week, the Office of Civil Rights of the Department of Health and Human Services (OCR) announced its first settlement agreement under an initiative to enforce patients’ rights to access their medical records. HIPAA typically requires covered entities to provide patients access to their records within 30 days of a request. In this case, OCR found that the provider furnished incomplete records to the patient’s counsel about five months after the patient’s initial request (with interim correspondence from counsel) and complete records to the patient’s counsel about 10 months after the initial request.

The new settlement agreement requires the provider to pay $85,000 and adhere to a corrective action plan that includes developing appropriate policies and procedures for individual access to information, distributing the policies and procedures to appropriate members of its workforce, and training workforce members on the policies and procedures to ensure compliance. The provider must also address this matter appropriately with business associates and provide OCR with a list of its business associates along with copies of all business associate agreements. Failure to provide patients timely access to information within the next year must be reported to the Department of Health and Human Services within 30 days.

Health care providers, health plans, and health care clearinghouses should have policies and procedures in place that allow them to provide a patient with prompt access to his or her health information at a reasonable charge (if any). Some state laws also regulate how much a provider can charge for copies of medical records. Business associate agreements should address vendor responsibilities on providing patients’ access to their information. 

Ballard Spahr attorneys established the Health Care Reform Dashboard as a one-stop resource under the Affordable Care Act. We have expanded the scope of the Dashboard to extend to certain other laws, but continue the mission of providing our readers with information about significant changes affecting health care and health benefits in the United States and establishing a repository for analysis and original source material of significant developments that have occurred over time. Change is ongoing, and we will continue to update the Dashboard to reflect new legislation, administrative guidance, and judicial decisions as they are published.

Copyright © 2019 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Subscribe to Ballard Spahr Mailing Lists

Get the latest significant legal alerts, news, webinars, and insights that affect your industry.