Significant changes are occurring in the enforcement of patients’ access rights to their health information in a reasonable timeline. On February 12, 2021, the Office for Civil Rights (OCR) at the US Department of Health and Human Services announced its 16th settlement of an enforcement action in its HIPAA Right of Access Initiative. The amounts of these settlements vary, and many more settlements may follow for a host of reasons.
In this case, Sharp HealthCare agreed to take corrective actions and pay $70,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. The company, based in California, provides healthcare through 4 acute care hospitals, 3 specialty hospitals, 3 affiliated medical groups, and a health plan. In June 2019, a complaint was filed with OCR alleging that the company failed to take timely action in response to a patient’s records access request directing an electronic copy of protected health information (PHI) in an electronic health record (EHR) be sent to a third party.
OCR provided the company with technical assistance on the HIPAA Right of Access requirements. In August 2019, OCR received a second complaint alleging that the company still had not responded to the patient’s records access request. OCR initiated an investigation and determined that the company’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard.
As a result of OCR’s investigation, access to the requested records was completed. “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right,” Acting OCR Director Robinsue Frohboese said in a press release. In addition to the monetary settlement, the California company will undertake a corrective action plan that includes 2 years of monitoring.
Ritu Agarwal, PhD, Distinguished University Professor in the Robert H. Smith School of Business at the University of Maryland in College Park, and co-director of the school’s Center for Health Information and Decision Systems (CHIDS), said current settlements and proposed corrective actions are long overdue. “It’s difficult to comment on the size of the settlement without a deeper understanding of the loss incurred by the requesting patient,” Dr Agarwal said.
Higher Settlement Amounts Possible
Elizabeth G. Litten, Chief Privacy and HIPAA Compliance Officer for the law firm of Fox Rothschild LLP, in Princeton, New Jersey, said many providers are unclear as to when a request is made by an individual pursuant to a HIPAA authorization versus a HIPAA access request, particularly when a patient wants records to be sent to a third party. “These combined factors have led to a ‘perfect storm’ for noncompliance, so the number of OCR investigations and settlements is not surprising,” Litten said. “The relatively low settlement amounts are likely attributable to the fact that many instances of noncompliance likely stem from confusion on the part of the provider rather than negligence or willful noncompliance.”
She said she expects investigations and settlements to continue, particularly as the Office of the National Coordinator for Health Information Technology (ONC) blocking rules take effect and individuals request access via health apps and other newer technologies. “We may see higher settlement amounts, if large covered entities or business associates do not provide access in accordance with HIPAA and the ONC rules,” Litten said.
New Rules Proposed
In a Notice of Proposed Rulemaking first announced in December 2020 and published in the Federal Register in January 2021, HHS proposed amendments to HIPAA rules. Litten said some of the proposed changes are intended to provide more clarity on how to respond to access requests. “The proposed rules, if adopted, help somewhat but further clarity is needed as to the difference between HIPAA authorizations and HIPAA access requests,” Litten said.
HIPAA authorizations typically permit disclosure of specified elements of PHI to specified recipients, must contain specific provisions, and do not implicate fee limitations under HIPAA or response times. HIPAA access requests generally permit disclosure of all PHI contained in a designated record set, do not require specific provisions, and implicate fee limitations and response times.
Attorney Joseph Lazzarotti, of the law firm of Jackson Lewis PC, in Berkeley Heights, New Jersey, said OCR’s enforcement has been somewhat sporadic, which may explain some of the lack of technical compliance. “Particularly for smaller providers, the compliance burden is considerable. The settlement amounts are not insignificant, [so] the question is whether the enforcement message is reaching the audience,” Lazzarotti said.
Dr Agarwal said there are numerous examples of adverse outcomes associated with lapses in health information privacy, including discrimination and denial of employment. “Unfortunately, the rules and regulations have not evolved with the rest of the healthcare industry, which has increasingly focused on patient empowerment and engagement as a key element of health and wellness,” Dr Agarwal said.
Patient empowerment begins with personal health information that belongs to the patient, and it should be accessible without any hindrances or obstacles. That is not always the case, however. Consider this analogy to financial information: How would you feel if you could not easily find out what your bank balance is? Or whether your deposit has been cleared? Or how much you owe on your credit card?” Dr Agarwal said.
She said there has been an accelerated digitization of the healthcare industry, which started more than 2 decades ago. With widespread use of EHR systems, providers have relatively easy access to patient health information and can facilitate patient access. The proposed changes by OCR call for shortening healthcare providers’ required response time by half, from 30 to 15 calendar days. Therefore, there might be higher chances of violating the law and more complaints from patients,” Dr Agarwal said.
HIPAA rules were developed in 1996, when the Internet was new. At that time, many patients and providers were worried about the misuse of the web in spreading sensitive health information. More than 20 years later, however, said Guodong (Gordon) Gao, PhD, MBA, also with the Robert H. Smith School of Business, where he is a professor and co-director of the CHIDS, the situation has changed substantially.
“In the age of big data and 5G, some of the original HIPAA rules are making it hard for patients to share information with their family members and for providers to coordinate with each other. HIPAA restrictions also make providers reluctant to use novel care delivery channels such as telemedicine,” Dr Gao said.
Patient Health Data ‘Like a Gold Mine’
The current wave of artificial intelligence (AI) is built on leveraging large-scale data. The use of AI poses significant challenges that will need to be addressed. “Patient health data is like a gold mine,” Dr Gao said. “There needs to be more changes to HIPAA for a “fair use” of the data so the algorithms can learn from it. This can lead to better decision support for doctors, which will benefit all of us.
“By no means,” he continued, “are we suggesting to weaken privacy protection. Rather, by leveraging technology, we can achieve the dual goal of enhancing privacy protection and improving information sharing for better care.”
OCR settles sixteenth investigation in HIPAA Right of Access initiative. Health and Human Services; February 12, 2021.