On August 1, 2024, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) published its 49th HIPAA Right of Access Initiative enforcement action against American Medical Response (AMR). AMR, a provider of emergency medical services across the United States, was required to pay a civil monetary penalty (CMP) of $115,200, as a result of an investigation based on a complaint that it had failed to provide a patient with timely access to her medical records.
AMR’s response to a medical records request
According to the Notice of Proposed Determination, in October 2018, a patient sent an initial request for her medical records pertaining to treatment she received from AMR a month before. AMR uses an electronic health record (EHR) for its medical records and maintained the patient’s requested health information in its EHR system. Per the Notice’s Findings of Fact, the patient’s initial request was in writing, signed, clearly identified the patient and where to send a copy of the patient’s medical record, and was sent via fax to AMR. AMR sent the patient confirmation that it received the patient’s request.
According to the Findings of Fact in the Notice, on November 13, 2018, the patient mailed a copy of her October 2018 access request to AMR’s Seattle office via certified mail and received confirmation from the United States Postal Service that the access request was successfully delivered to AMR. In January 2019, the patient sent two follow-up access requests—one to AMR’s Los Angeles office via certified mail, and the other to Centrex, AMR’s business associate, via fax.
Despite the patient’s multiple requests for her medical record, AMR did not respond to the patient’s requests until March 1, 2019, nearly 121 days after the patient’s initial request, when it sent the patient an invoice requiring payment before it would provide the requested records. The patient sent a final follow up request in March 2019, demanding the records be provided or a complaint would be filed with the OCR. When AMR did not respond, the patient filed a complaint with the OCR in July 2019.
Ultimately, and in response to the OCR’s investigation, AMR sent the patient her requested records in November 2019, over a year after the patient’s initial request.
Access to medical records under HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions state that a covered entity (i.e., a healthcare provider, health plan or healthcare clearinghouse) must provide patients access to their protected health information within 30 days of a request unless it has a legally permissible reason to deny the request or has a valid reason to extend its response time by no more than 30 days. OCR guidance states that this 30-day requirement is an “outer limit” and that “covered entities are encouraged to respond as soon as possible.”
The OCR guidance also suggests that individuals can reasonably expect a covered entity to “be able to respond in a much faster timeframe” when the entity uses “health information technology in its day-to-day operations.” Under HIPAA’s Privacy Rule, AMR should have acted upon the patient’s request on or before November 30, 2018, but instead, responded 370 days after the patient’s initial request. As AMR waived its right to a hearing and did not contest the OCR’s findings, the OCR finalized its determination and imposed the $115,200 CMP against AMR.
Enforcement a high priority for OCR
This recent enforcement action marks the OCR’s third time imposing penalties against an entity for failing to respond to a single request for patient records, and the highest CMP imposed this year. In March, the OCR initially indicated its intent to impose a CMP of $250,000 against Phoenix Healthcare but ultimately agreed to a settlement of $35,000. In April, the OCR imposed a CMP of $100,000 against Hackensack Meridian Health. It appears the OCR remains committed in holding covered entities accountable for failing to comply with HIPAA right of access rules.
A covered entity, especially one that uses EHR systems for maintaining medical records, should ensure its internal procedures are streamlined to track and respond to patient access requests in a timely manner that complies with right of access requirements.
For more information on the content of this alert, please contact your Nixon Peabody attorney or the authors of this alert.