Recent HIPAA Right of Access Settlements Highlight Ongoing Enforcement Efforts

SNFs this one is for you! Yesterday’s post on billing fraud was too. It almost feels as if this second week of April has a compliance theme while last week, the focus was on CMS Proposed Rules. Assuredly, Wednesday will bring some different news as March CPI data drops.

This news came last week via the Office of Civil Rights which oversees HIPAA related complaints. It pertains to two important and expensive enforcement actions taken against two SNF providers, Phoenix Healthcare (multi-facility SNFs in Oklahoma) and Essex/Hackensack Meridian Health, West Caldwell Care Center, a New Jersey SNF. A great summary of the cases from Nixon Peabody is available here: Right-of-access-enforcement-actions

The core of both cases involves access to Personal Health Information (PHI) via medical records. While facilities are allowed to verify the authority of resident personal representatives requesting access to PHI, verification cannot be used to delay access. Further, providers are not allowed to withhold access to PHI due to nonpayment of fees for copies, etc.

Providers and other covered entities are required to provide access to PHI maintained in a medical record within 30 days of receiving a request from a patient/resident or their (legally permitted) personal representative. Regulations spell-out that this 30-day timeframe is more of a max than a period that should be taken. Covered entities should provide access as soon as possible. While not cost specific, the regulations impute that costs for things like copies should be modest and reasonable. Most states do specify production cost limits, typically per page.

  • In the Phoenix Healthcare case, the daughter of a resident, who was the resident’s personal representative, was not provided access to her mother’s medical record for close to a year, despite numerous requests. The daughter filed a complaint with OCR alleging that Phoenix would not provide her with access to her mother’s medical records. After OCR intervention, the records were finally made available after 323 days. OCR issued Phoenix a CMP (civil monetary penalty) for its non-compliance with legitimate access to PHI of $250,000. Phoenix appealed and an Administrative Law Judge (ALJ) agreed that Phoenix violated its legal requirements to produce the PHI on request but reduced the penalty to $75,000. Phoenix filed a subsequent appeal with the HHS Departmental Appeals Board.  The Board did sustain the findings of the OCR and the CMP amount of $75,000. OCR and Phoenix however, settled the final matter after Phoenix complained of financial hardship, for $35,000 with a plan of correction imputed (revised policies, additional training, etc.).
  • In the Essex/Hackensack case, OCR issued a notice of imposition of a CMP for $100,000. OCR investigated Hackensack Meridian Health after receiving a complaint in May 2020 alleging that the facility failed to provide a resident’s son (personal representative) access to his mother’s medical records. The son provided the facility with documentation proving his authority as personal representative. After OCR’s involvement, the facility did provide the requested information 161 days after the initial request. As a complication, the facility indicated that the resident, her son and the facility, were involved in litigation. 

For providers, a bit of risk prevention here is evident. The following tips are simple and can save an organization a lot of money in terms of fines and of course, legal fees. 

  • Presume that requests from a patient and/or his/her legal representative should be honored ASAP. Don’t think thirty days, think quicker.  State law may require a provider to act quicker. Remember, the thirty-day period that OCR uses is the long-end of the perspective.
  • The person doing the request can access the data in any fashion (paper or electronic) he/she chooses. I also advise providers not to over complicate this process. For example, I did some work with an organization that would not email records to a patient stating that the email was not “secure”.  That is not the duty of the facility to assure a secure email for the patient and in fact, as the data belongs to the patient, he/she can choose to share it anywhere he/she wishes. The security duty of the information remains with the provider as long as the provider is the custodian of the data. Once properly provided elsewhere (the PHI), the data is now the security interest of the recipient.
  • I am not in favor of providing records for free, but all providers should know the state rules applicable for copying/production of records. Charge only the amount permissible or, less if desired.  Postage/shipping, unless specifically specified, is extra.
  • Keep organization policies in-line with OCR guidelines and/or state law. Train applicable facility and organizational personnel to the policies and always, err on the side of being more accommodating not less.

Leave a Comment