HIPAA enforcement efforts target patients’ rights to medical records
Two recent enforcement actions by the federal Office for Civil Rights (OCR), each resulting in an $85,000 fine, should serve as a reminder to physicians to take requests for patients’ medical records seriously and to handle them in a timely and appropriate manner.

The OCR, which is part of the U.S. Department of Health and Human Services (HHS), announced its first enforcement action under the Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative in mid-September 2019. It announced its second HIPAA Right of Access enforcement action and settlement in December. These actions make it clear that OCR is focusing on making sure patients can access medical records promptly, that they won’t be overcharged for copies of medical records, and that they can obtain records in a readily producible format of their choosing.

Timeliness at issue
The first enforcement action involved a 480-bed Florida hospital and stemmed from a complaint filed with OCR by an expecting mother, alleging that the hospital had failed to provide her with her unborn child’s prenatal medical records in a timely manner. After OCR began its investigation, the hospital provided the individual with the requested information. At that point, however, more than nine months had passed since the initial request. Under HIPAA, covered health care providers are generally required to provide medical records within 30 days of the request. To resolve the matter, the hospital paid an $85,000 monetary settlement and adopted a corrective action plan, which includes one year of monitoring by OCR.

Amount of fees also matters
The second enforcement action involved a Florida-based company that provides primary care and interventional pain management services to approximately 2,000 patients each year. The action and settlement resulted from two patient complaints filed with OCR against the company for its alleged failure to provide medical records to a third party in an electronic format and in a timely manner. It was also alleged that the practice had charged more than the reasonable, cost-based fees permitted under HIPAA. To settle the matter, the company agreed to implement corrective actions, including a one-year monitoring period, and to pay an $85,000 fine.

Important recent developments
 On Jan. 28, OCR issued a statement explaining that, on Jan. 23, the U.S. District Court for the District of Columbia had vacated portions of a regulation promulgated by HHS in 2013 relating to the HIPAA Privacy Rule, as well as certain aspects of a HIPAA guidance document issued by HHS in 2016. More specifically, OCR explained in its statement that the court had found the “reasonable, cost-based fee” restriction on charges for copies of medical records applies only to an individual’s request for access to their own records and does not apply to an individual’s request to transmit records to a third party, such as to a law firm or insurance company. OCR also explained that the court’s decision impacted the “third-party directive” aspect of an individual’s right of access to medical records. The OCR stated, however, that it will continue enforcing the HIPAA right of access provisions not impacted by the court’s order. See the OCR’s statement and a link to the related court decision >>

Practical implications
What does this mean for you and your practice? These two OCR right-of-access enforcement actions serve as a reminder that requests for medical records should be taken seriously and handled in a timely and appropriate manner. To avoid any missteps, practices should consider revisiting with their HIPAA counsel how medical record requests are handled, in light of the enforcement actions and recent federal court decision. For more on the practical implications of these actions for physician practices, see the article below by Stacy L. Cook, JD, LLM, of Barnes & Thornburg, LLP.

Note: This article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The content is intended for general informational purposes only, and you are urged to consult your own attorney regarding any specific legal questions you may have concerning your situation.

Court issues favorable ruling on HIPAA medical records fees


By Stacy L. Cook, JD, LLM
Partner, Barnes & Thornburg, LLP
Since its inception, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has imposed a limit on what a provider subject to HIPAA (a “Covered Entity”) can charge when a patient requests a copy of their his or her own records.
HIPAA limited Covered Entities to charging patients a “reasonable, cost-based fee” (the “Patient Rate”), which was limited to:
  • The cost of copying, limited to the cost of labor for making the copies, or in the case of electronic records, to transfer (upload, download, burn) electronic health records (“EHR”) to electronic media.;
  • The cost of supplies, such as paper or a CD.; and
  • The cost of postage.
The Patient Rate cannot include any other costs, such as record storage, labor for retrieving the records, or labor spent reviewing the records to gather the specific records requested. Because HIPAA is a federal law, if the Patient Rate is less than what Indiana law allows a Covered Entity to charge, the HIPAA Patient Rate applies.

In 2016, the Department of Health and Human Services (“HHS”) issued a guidance document (“2016 Guidance”) stating that the Patient Rate also applies when a patient requests that a copy of theirher records be sent to any third party. HHS further specified that the Patient Rate applies even when a third party (such as a lawyer) makes the records request on behalf of the patient, and regardless of whether the request is for electronic records from EHR or paper records.

On Jan. 23, 2020, a federal court ruled that HHS went beyond its authority in the 2016 Guidance. The court ruled that HIPAA requires a Covered Entity to send records to a third party at the request of the patient only when the patient requests a copy of the records in an electronic format from an EHR. Second, the court ruled that the Patient Rate does not apply when the patient requests that their her records be sent to a third party. HHS has acknowledged the court’s ruling on its website.

The key takeaways from the court’s ruling:
  1. If a patient requests a Covered Entity to send theirher records from an EHR to a third party in an electronic format, an authorization is not required. The Covered Entity can require that the patient request be in writing and that it clearly identify the third party. The Covered Entity is not limited to charging the Patient Rate but can charge the amount allowed under Indiana law.
  2. If a patient requests a Covered Entity to send hard copy records to a third party, the Covered Entity can require the patient to sign a HIPAA-compliant authorization, and the Covered Entity is not limited to charging the Patient Rate, but can charge the amount allowed under Indiana law.
  3. If a patient requests a Covered Entity to send their records to them (regardless of format) the Covered Entity does not need to use a HIPAA authorization but can require that the patient request be in writing. The Covered Entity is limited to charging the patient the Patient Rate.
Note: This article should not be construed as legal advice. It is intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.