Avoid Fines and Penalties by Timely Responding to Requests for Patient Records

By: Angie Cameron Smith, Burr & Forman LLP

The Office of Civil Rights (“OCR”) routinely makes announcements about enforcement actions taken against healthcare providers. One such enforcement action is a civil money penalty (“CMP”) related to a provider’s failure to timely comply with a request for medical records from a patient. So far in 2024, OCR has fined two providers $100,000 or more for failing to timely respond to a patient’s right to access medical records. Although the penalties OCR may impose range from $100 per violation to $50,000 per violation, in the two recent cases, OCR determined that the violations were due to “reasonable cause” and not willful neglect. “Reasonable cause” means that the provider knew, or by exercising reasonable diligence would have known, that the failure to provide access violated the regulation, but in which case the provider did not act with willful neglect. These two providers received CMPs of $1,000 per day for each day they failed to provide access to the records. In addition to the fines, those providers were required to have a corrective action plan approved by OCR and undergo monitoring by OCR. To avoid similar fines and penalties, it is important that physician practices timely respond to requests from patients for copies of their medical records.

Under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”), a covered entity, which includes healthcare providers, must respond within 30 days of receipt of a patient’s request for access to records. ¹ Although it seems fairly straightforward, healthcare providers can run afoul of the rule if they or their staff fail to recognize the importance of responding to such requests.

What is a Patient Right to Access?
HIPAA “requires HIPAA covered entities to provide individuals, upon request, with access to the protected health information (“PHI”) about them in one or more ‘designated record sets’ maintained by or for the covered entity.” ² The right to access includes inspecting or obtaining a copy, or both, and it also allows the patient to direct that the healthcare provider give the copy to a designated individual or entity. If the patient directs the provider to send the PHI to another person, the request must be in writing, signed by the patient, and clearly identify the designated person and where to send the PHI.  

Patients have a right to access their PHI for as long as the information is maintained by the provider, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the provider, another provider, etc.).

What is the “medical record”?
HIPAA defines the “designated record set” as the group of records maintained by or for the healthcare provider that includes medical records and billing records and “other records that are used, in whole or part, by or for the [healthcare provider] to make decisions about patients.

The rule does not require that a provider create new information or explanatory materials that are not already in the designated record set.”

Can you deny a request?
Certain information is excepted from the right to access including psychotherapy notes and information compiled for civil, criminal or administrative actions. Note that in one of the recent enforcement actions, the provider did not provide the individual with access to the requested information and asserted to OCR that its basis for doing so was because the provider had filed a lawsuit against the patient for failure to pay. This was not sufficient to justify denying access to the records.

Additionally, if the provider believes access to the information could cause harm to the patient or another person, the provider can refuse to provide the record.

What if it takes longer to compile the records?
Due to the use of electronic medical records, OCR’s guidance states that the 30-day timeframe is the outer limit and that providers should respond as quickly as possible. However, the regulation acknowledges that there may be instances where a provider cannot meet the 30-day turnaround. In those instances, within the initial 30-day period, the provider must send a written statement to the patient providing the reason for the delay and the date by which the records will be provided, which cannot be longer than an additional 30 days. A provider can only have one 30-day extension.

What if the patient is deceased?
Someone other than the patient can request access to the medical records of a patient, even if the patient is deceased. Under the Rule, an individual’s “personal representative” has the right to access PHI about the individual consistent with the scope of that person’s authority as personal representative. Verification of the person’s ability to act as the “personal representative” should always be obtained.

What’s the difference between the right to access and an authorization to release?
Healthcare providers may receive an “authorization” to release medical records or PHI to a third party. This is different than the patient requesting access to his own medical record. A provider is not required to disclose PHI pursuant to an authorization and there is no required timeframe within which the provider must respond if it chooses to provide the requested information.

Resources to use in developing policies and procedures
OCR has a set of Frequently Asked Questions on its website to address many of the common issues that arise with HIPAA and specifically with the “Right to Access” provisions, which can be a great resource: https://www.hhs.gov/hipaa/for-professionals/faq/index.html.

Every practice should have HIPAA policies and procedures that include how the practice handles requests for records to ensure that those requests are processed timely and correctly.

¹ 45 CFR 164.524
² https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

Angie Smith is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare Practice Group. Angie may be reached at (205) 458-5209 or asmith@burr.com.