Failure to provide patient records can result in a HIPAA fine

After 22 years of HIPAA and 10 years of the HITECH Act on the books, it should be common knowledge that patients have a right of access to their medical records.

Although physician practices or business associates can charge a fee for patient medical records, it must be reasonable, and the format (e.g., paper or electronic) matters. “The HIPAA Privacy Rule at 45 CFR 164.524(c)(4) permits a covered entity to charge a reasonable, cost-based fee that covers only certain limited labor, supply and postage costs that may apply in providing an individual with a copy of PHI in the form and format requested or agreed to by the individual.” 

Additionally, an entity may charge a flat fee “not to exceed $6.50 per request” to avoid going through the process of calculating allowable costs for electronic copies of PHI maintained electronically. Regardless of the cost issue, which is meant to be minimal, patients do have a right of access to their own medical records, including those of an unborn fetus as part of maternal care.

Recently, Bayfront Health in St. Petersburg, Fla., agreed to pay the U.S. Department of Health and Human Services Office of Civil Rights (OCR) $85,000 and implement a corrective action plan for a potential breach of failing to provide a pregnant woman with a full copy of her medical record, including the fetal heart monitor records of her unborn child, within the 30 days prescribed by HIPAA.

OCR initiated its investigation based on a complaint from the mother.  As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request. The HIPAA Rules generally require covered health care providers to provide medical records within 30 days of the request, and providers can only charge a reasonable cost-based fee.  This right to patient records extends to parents who seek medical information about their minor children. In this case, it was a mother who sought prenatal health records about her child.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino in a press release.  “We aim to hold the healthcare industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

Although Bayfront did not admit liability, it had to conduct the following as part of its

:

• update its policies and procedures;

• provide training to staff on at least an annual basis and keep track of each person’s training completion;

• retain all documents for six years; and

• keep track of business associates.

This action by OCR serves as a reminder to physicians and business associates alike. Now is a good opportunity to make sure that staff are educated on the federal and state time frames to provide a patient or representative with a copy of medical records, that policies and procedures are up to date and that acceptable charges have been relayed to staff or business associates handling these requests. Failure to do so can lead to outcomes similar to Bayfront, which are costly in terms of time, fines and reputation.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.