Legal Pearls: Providing Medical Records to Patients
The Office for Civil Rights (OCR) takes very seriously the requirement that health care practitioners provide patients with copies of their medical records. In one case, a private practice was faulted for not providing a complete copy of medical records and instead relying on a state regulation that permitted giving just a summary of the medical records. OCR explained that this in only allowable if the person requesting the records agrees in advance to get just a summary – otherwise, complete medical records are required.
The HIPAA Enforcement Update
The US Department of Health and Human Services has updated its Health Insurance Portability and Accountability Act (HIPAA) enforcement data to include enforcement results from when the rule went into effect in April 2003 through the end of 2021. The OCR is responsible for investigating HIPAA complaints. Since 2003, OCR has received more than 286,610 HIPAA complaints and has resolved 96% of them. More than 29,354 cases were resolved by the OCR requiring corrective actions by HIPAA covered entities. To date, OCR has settled or imposed a monetary penalty in 106 cases, resulting in a total dollar amount of $131,392,632. In more than 13,000 cases, investigators found that no violation had occurred. In more than 50,000 cases, OCR was able to intervene early and provide technical assistance without the need for an investigation. In the rest of the cases, OCR determined that the complaint was not eligible for enforcement for a variety of reasons, including that the OCR lacked jurisdiction, the complaint was untimely, or the activity did not violate HIPAA rules.
Most importantly, HHS noted that the top 5 compliance issues alleged in complaints, in order of frequency, were: (1) impermissible uses and disclosures of protected health information; (2) lack of safeguards of protected health information; (3) lack of patient access to their protected health information; (4) lack of administrative safeguards of electronic protected health information; and (5) use or disclosure of more than the minimum necessary protected health information. The most common covered entities alleged to have committed violations were: (1) general hospitals; (2) private practices and physicians; (3) outpatient facilities; (4) pharmacies; and (5) community health centers.
In September of 2019, HHS launched a HIPAA Right of Access Initiative, requiring providers to give patients copies of their health records quickly and at a reasonable cost. Since then, 25 healthcare providers have resolved HIPAA Right to Access cases with OCR. At the end of 2021, HHS announced the 5 most recent financial settlements and corrective action plans, including a $100,000 civil money penalty against an internal medicine physician in New York.