OCR Cracking Down with HIPAA Right of Access Initiative

“OCR Cracking Down with HIPAA Right of Access Initiative” 

The OCR has now settled 13 investigations (HHS News) as a part of the 2019 HIPAA Right of Access Initiative. HIPAA’s Right to Access, under the Privacy Rule, requires covered entities to provide patients with access to their PHI that is a part of the Designated Record Set, when requested, and in a timely manner. Patients have a right to inspect, copy, or both, of their records.  

Most organizations are aware of Right to Access but unless there are proper policies and procedures in place the request could get lost in the shuffle.  It’s advised that an organization outlines a process for when patients request access to their records so that all bases are covered. The formal process should be documented and include (HHS Guidance): 

• Any documentation that the patient needs to complete in order to request access 
  • A form that includes the following is advised: 
    • Patient name and DOB 
    • Contact information 
    • Delivery Type (Printed or Electronic) 
    • Records that are being requested 
    • How the organization will notify the patient when their records are ready for pick up 
    • Date and Signature of patient or their legal representative 
  • A form that outlines the copying and mailing costs the patient will be responsible for 
    • See 45 CFR 164.524(c)(4) for what fees can be charged to a patient 
• Forms of identification that are acceptable to prove patient identity 
• Personnel in which access requests should go through 
  • State a specific person, role, or department that should carry out requests and who has final approval 
• The expected timeframe that an access request should be completed 
  • This should be determined by the organization but cannot exceed 30 calendar days from the date of the request 
    • The covered entity may extend the time, if needed, by an additional 30 days but the patient must be notified in writing within the initial 30 days of the delay. Only one extension is permitted per access request. 
• Grounds for denial 
  • Any grounds for denial should be carefully researched and compared to 45 CFR 164.524(a), 45 CFR 164.524(b), 45 CFR 164.524(d) for legality 
• It’s important to note that the handling of sensitive information, such as psychotherapy notes, substance abuse, and blood borne diseases may require a different approach.  

Having proper documentation of the Right to Access process will allow for a smooth execution! It’s also important to document all requests, from start to finish, in case it needs to be referenced in an investigation or audit.