Proposed Changes to HIPAA & Recent Enforcement Actions


This article, authored by WLJ health law attorney Jennifer Smith, is featured in the Spring 2021 issue of The Arkansas Family Physician

On December 10, 2020, the Department of Health and Human Services Office for Civil Rights (“OCR”), which enforces HIPAA, released a proposed rule that would make several changes to the HIPAA Privacy Rule. One purpose of the proposed rule is to strengthen the rights of individuals to access their medical records.

With limited exceptions, the right of an individual to access his or her medical record includes both the right to inspect the records and the right to receive copies of the records.  A recent audit report released by the OCR showed that 89% of covered entities audited were not correctly implementing the right to access.  In 2019, the OCR began prioritizing enforcement of violations of the right to access.  Since beginning this initiative, fourteen access-related investigations have been settled with health care providers.  More than half of these settlements were with physicians or physician groups.  Penalties were imposed for failure or refusal to provide timely access, failure to provide copies in the requested format, and failure to cooperate with the OCR’s investigation. The average penalty imposed against a physician group was around $36,000.

The current HIPAA regulations provide that a covered entity must respond to an individual’s request to access his or her records within thirty days of receipt, or, if the records are maintained off-site, within sixty days of receipt.  If a covered entity cannot respond to the request within this time frame, a thirty-day extension is allowed if the covered entity provides the individual with a written statement that explains the reason for the delay and provides a date for when the request will be fulfilled.

If copies are requested, they must be produced in the format requested by the individual, or if the requested format is not readily producible, in a format agreed to by the individual. The current HIPAA regulations also allow covered entities to charge a reasonable fee for providing copies, but the fee is limited to the cost of labor associated with copying the records and related supplies and postage.  This fee limitation applies when individuals request copies of their own records.  It does not apply when an individual requests his or her records to be transmitted to a third party.

The proposed rule would change the right to access in several ways.  The time frame for responding would be reduced from thirty days to fifteen days.  If an extension were needed, the covered entity would be allowed only one fifteen-day extension, and the covered entity would still be required to provide the individual with a written statement of the reason for the delay and a date when the request will be fulfilled. Covered entities may also be required to establish a process to prioritize urgent or high priority requests for access, such as for requests that are related to a health or safety issue.

In addition to allowing individuals to inspect their records, the proposed rule would provide individuals with the right to take notes and photograph or otherwise capture information contained within their medical records as long as the individual used a personal device that did not require connecting to the covered entity’s information system.

With respect to fees, covered entities would continue to be limited to charging fees for labor involved with making copies of records, including electronic copies, related supplies, and postage when the record would be mailed.  If a summary of the record were requested or agreed to by the individual, a reasonable charge could be imposed to prepare the summary.  Covered entities would be prohibited from charging an individual for inspecting records or accessing records through an internet-based method, such as a personal health application.  In addition, any fees would need to be disclosed in advance. Covered entities would also continue to be prohibited from refusing to provide access to records if a patient had an outstanding medical bill.  Finally, the OCR would encourage, but would not require, covered entities to waive fees for individuals with limited financial means, such as individuals who have Medicaid or those who qualify for a financial assistance program.

Individuals would continue to have the right to direct a covered entity to send a copy of their medical record to a third party, but this right would be limited to electronic health records and would not include records maintained on paper or other media, such as microfiche. Fees for directing electronic copies to third parties would also be limited to labor for making the copies and/or preparing a summary or explanation if agreed to by the individual.

The proposed rule would also grant current or prospective patients the right to request that a covered entity request copies of their medical records from other covered entities.  Such requests would have to be made by the requesting covered entity within fifteen days. The disclosing covered entity would then have fifteen days to respond and would be allowed one fifteen-day extension if needed.

In addition to changes to the right to access, the proposed rule would also provide clarity for when protected health information (“PHI”) could be disclosed without an authorization for case management and care coordination, including to community-based organizations, caregivers and family members, and when PHI could be disclosed in a patient’s best interest.  Finally, the proposed rule would eliminate the need to obtain a written acknowledgement that a patient received a copy of the covered entity’s notice of privacy practices.

If finalized, the proposed rule will become effective sixty days after publication.  Covered entities will then have 180 days to comply with the rule, which will require updating policies and procedures and the covered entity’s current notice of privacy practices, as well as making sure staff are trained on these new requirements.

Jennifer Smith is an attorney at Wright Lindsey Jennings specializing in health law.  She can be reached at 479-631-3290 or jsmith@wlj.com