Why more clarity on HIPAA settlements could aid records access

Providing more details on federal agency efforts to improve patients’ access to data will help the industry meet expectations.


The Office for Civil Rights announced its twentieth HIPAA right of access settlement on September 10, which continues the initiative that has been a primary focal point of enforcement for the past couple of years.

The stream of settlements doesn’t seem to have changed behavior though. The concern was best stated in a recent tweet from Lucia Savage – it read, “You'd think after 20 settlements in two years, people would stop violating patients’ right to access their own PHI,” noted Savage, chief privacy and regulatory officer for Omada Health, and former federal official. “I've not done the math but surely the total is now around $500k?”

While the question posed by Lucia is certainly a valid one, part of the issue could be found in how OCR reports the settlements. A review of the most recent settlement with Children’s Hospital & Medical Center (CHMC) can help highlight the issue. In revealing CHMC’s agreement to pay $80,000 to resolve the allegations of not appropriately honoring an individual’s right of access, OCR was quite skimpy on details. Here is a complete summary of the factual background included by OCR in the resolution agreement, which constitutes the full scope of publicly known information:

  • A mother was the personal representative for her deceased daughter. The mother submitted a request for the deceased daughter’s records on Jan. 3, 2020.
  • CHMC provided a portion of the deceased daughter’s records at the time of the request, saying that the remainder of the records had to be collected from another division.
  • A second portion of the records was provided on June 20, 2020, while a third and final portion was provided on July 16, 2020.

The list of statements are all of the facts revealed in the settlement. What can be learned from those facts? Not much. It appears that CHMC did attempt to respond promptly and then took too long to finish producing the records. What happened in the period of time between January and June or July? The resolution agreement does not say. Introducing some outside factors, the major global event that occurred was the emergence of COVID-19 and the complete disruption of life.

The suggestion of outside factors is not intended to excuse non-compliance with the right of access requirements clearly set out by HIPAA. The access rule under HIPAA is clear on how much time a covered entity receives to fulfill an access request, which can be extended—although even with the extension, it would not be as long as CHMC took.

Lacking any additional facts, it is also unclear why the delay resulted in an agreement to pay $80,000. Did any of the hidden facts suggest some form of deliberate or intentional action to inhibit access or delay the response time? Only speculation can occur on that front, given the sparse detail in the resolution agreement.

The ongoing attention to access requests and enforcement should be one clear factor putting all organizations on notice that time is well past for respecting and meeting access right requirements. The requirements contained in the HIPAA privacy rule are relatively quite clear and set out a clear process to follow.

However, taking the time to understand and then incorporate those requirements into a workflow does not always occur. Taking the time to devote that effort is well worth the investment because it can improve relations with individuals aside from the compliance benefits.

Beyond actually understanding the language of the HIPAA regulations, getting more detail from OCR when resolving alleged non-compliance would be quite helpful. Just seeing that an organization did not respond in a timely manner is not enough. That is especially true as the settlements appear to be focusing on less egregious examples of delayed responses. Seeing the facts could also help inform where issues in meeting the requirements are arising. Learning by example is often the best way to appreciate a requirement and then adapt to another organization.

Inclusion of more detail is an opportunity for OCR to engage the community and provide better guidance. That could potentially require the entity subject to the resolution to agree, but there would arguably some reasonable pressure to apply to obtain that cooperation. The benefit of informing the wider industry as to expectations and pain points should be appealing.

Another area where more detail would be beneficial is in understanding how the specific penalty amount was imposed. A desire for information as to how the amount is determined has long been a wish when it comes to HIPAA resolutions and it is likely a pipe dream. While it may be a big hope to get that insight, keeping up the pressure on that front could help get some of the process revealed. Absent the information, a solid working assumption remains that the penalty is determined by an organization’s ability to pay.

While waiting (potentially for a very long time) for more insight into resolutions, it is well past time for organizations to review access processes and confirm compliance with HIPAA requirements. Review now is important, given pending changes to the regulations that are expected to result in some changes to the right of access requirement.

From that perspective, comparing current in force practices with both the existing regulation and the proposed rule would be helpful to prepare for upcoming changes and lay the groundwork for modifications.

Additionally, it is also necessary to consider the new access rights created through the information blocking rules. Individuals want their data and benefits are clear, so organizations should seek to use an open approach as a distinguishing factor.

Matt Fisher is a corporate and regulatory healthcare attorney. Matt is currently General Counsel for Carium, a virtual care platform company.

More for you

Loading data for hdm_tax_topic #patient-experience...