51% of Healthcare Providers Still Not Fully Complying with HIPAA Right of Access

The Department of Health and Human Services’ Office for Civil Rights is cracking down on noncompliance with the HIPAA Right of Access and for good reason. A recent report from Ciitizen has revealed more than half of healthcare providers (51%) are not fully compliant with this aspect of HIPAA.

This is the second such report from Ciitizen, the first having been released on August 14, 2019. For the latest report, an additional 169 healthcare providers were assessed for Right of Access compliance, bringing the total assessed providers to 210.

Acting with authorization from patients, Ciitizen made requests for copies of patients records. Each healthcare provider was then given a rating based on their response, from 5 stars being fully compliant and responding within 5 days, down to 1 or 2 stars. A 1- or 2-star rating meant that were it not for multiple escalation calls to supervisors, the provider would not have been compliant.

There is some good news in the report. More providers are complying and there is less inconsistency from employee to employee. A growing number of healthcare providers are also now providing seamless access to patient records, with the percentage having increased from 30% to 40%.

The high figure or noncompliance is not because of the failure to provide patients with copies of their medical records on request, it is mostly because there needs to be “significant intervention” before requests are processed in a compliant manner.

For instance, the main reason for a 1-star rating is patients are not being provided with copies of their medical records in the digital format of their choosing. Inconsistency is also an issue. Many patients will be provided with copies of their records within 30 days, but a significant percentage will experience problems, such as having to make contact by phone on multiple occasions.

The findings from the first report were found to be broadly comparable to the second, although a far higher percentage of providers received a 1-star rating in the second report. In Cohort I (n=51), 27% received a 1-star rating and 24% received 2 stars. In Cohort II (n-169), 51% received a 1-star rating and 5% received a 2-star rating.

This can be explained by the fact that fewer escalation attempts were made by telephone after the initial request was submitted with Cohort II. That meant that the 30-day time limit for providing records was exceeded on occasion.

For Cohort II, out of the providers that were given a 1-star rating, 86% failed to provide the records in the requested format, 20% exceeded the 30-day time frame for providing records, and 1% attempted to charge excessive fees. In Cohort I, the figures were 86% format failures, 2% fee issues, and 2% failed to send the records to the designee. All requests were processed within 30 days.

It is important to point out that copies of records were requested in a specific digital format. Ciitizen said 76% of providers receiving a 1-star rating would have received a 4- or 5-star rating if they had been allowed to send records in any digital format (CD, fax, or encrypted email).

Ciitizen chose to request a specific digital format to assess compliance and better reflect real world scenarios. For instance, many patients do not have access to a fax machine and may not have a laptop/computer with a CD drive.

Ciitizen believes the use of standard open APIs would help to ensure that records could easily be provided in the format requested by the patient.

Ciitizen points out that providers are now accepting request forms by mail, email, and fax, which makes it far easier for patients to obtain a copy of their records. To date, excessive fees have not been an issue but, in some cases, this was only due to Ciitizen successfully resolving attempts by providers to charge fees that are not permitted under HIPAA by escalating the issue to supervisors.

The detailed Ciitizen report can be viewed and downloaded on this link.

Penalties for Noncompliance with HIPAA Right of Access

The penalties for noncompliance are can be severe. Willful neglect of HIPAA Rules now carries a minimum penalty of $58,490 per violation, if no corrective action has been taken, and a maximum penalty of $1,754,698 per violation, per year. OCR calculates penalties based on the number of days the organization has not been in compliance, so the maximum possible penalty is substantial.

OCR has stated on multiple occasions that HIPAA Right of Access failures are one of its main enforcement priorities. Already this year, OCR has issued one financial penalty for noncompliance with this important aspect of HIPAA and it will not be the last.

Bayfront Health St Petersburg was fined $85,000 for HIPAA Right of Access failures in September 2019 and in 2011, Cignet Health of Prince George’s County was ordered to pay a civil monetary penalty of $4,300,000 for denying patients access to their medical records.

It doesn’t take a data breach for an investigation into patient rights violations to be initiated by OCR. The Bayfront Health St Petersburg financial penalty was in response to a single complaint from a patient who had not been provided with her medical records in a timely manner.