Fire in the Hole: Patient Access to Medical Records

Thursday, February 25, 2021 | Michael J. Sacopulos

By Michael J. Sacopulos, JD, Founder & President, Medical Risk Institute

“Fire in the hole” is a warning that an explosive detonation in a confined space is imminent. It is not a phrase typically associated with HIPAA. But this is 2021. Nothing is typical. “Fire in the hole” seems like an appropriate warning when it comes to providing access to medical records.

In late 2019, the Office of Civil Rights (OCR) – think of them as the “HIPAA Police” –announced the first two cases where healthcare entities were punished for failing to timely provide requested medical records. Both entities were based in Florida and had not provided records months after they had been properly requested. At $85,000 each, the financial penalty was enough to draw attention. What quickly became clear was the cases in Florida were not going to be one off isolated event.

In a “I’m mad as hell, and I’m not going to take it anymore” press release, OCR Director, Roger Severino served notice on the healthcare community:

“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.”

This statement from December 2019 signaled where things were headed in the future.

In 2020, ten additional healthcare providers were hit with financial penalties for failing to allow access to medical records, with fines totaling over half a million dollars. Director Severino has been pursuing this issue with all the zeal of a new convert. There is no sign of an end to these actions.

By examining the dozen cases so far, we can determine patterns. The good news is that complying with the law and avoiding interaction with the OCR should be easy and inexpensive when it comes to this topic. Under the law, healthcare providers have 30 days to provide properly requested medical records. This begs the questions what are medical records and what is a proper request for them?

“Medical records” under the law encompass more than you might think. In fact, the term includes medical records, billing records, enrollment forms, claims documents and any other material used in making decisions about an individual. Least you think this definition is trivial or unimportant, one of the cases this year involved a failure of an orthopedic practice in New York to produce all records requested. Although charting information was provided, diagnostic films were not sent and the OCR initiated an investigation. Ultimately, the practice paid $100,000 and had to undertake a corrective action plan and be monitored for the next two years.

Some of the cases last year involved individuals requesting records on behalf of each other. For example, Beth Israel Lahey Health Behavioral Services failed to respond to a records request from a personal representative to obtain her deceased father’s records. Wise Psychiatry failed to produce records of a minor child to his father upon request. In both examples, the healthcare provider was fined five figures. These cases show that access rights apply to patient representatives as well as patients acting on their own behalf. This places healthcare provider in the position of needing to understand agency and legal representatives.

Several cases involved prior assistance from the OCR. Housing Works, Inc. failed to timely produce records and the patient filed a complaint with OCR and the Office responded by giving technical assistance to Housing Works. Unfortunately and inexplicably, Housing Works still had not produced the records thirty days thereafter. A second complaint was filed by the same individual. The OCR was far less understanding the second time around and sanctions were levied.

From these cases, a short to-do list emerges:

  1. If the OCR sends correspondence offering “technical assist,” do not ignore it. The situation is not concluded. Produce the records.
  2. Produce all the records requested. Read the request carefully. There is no credit for partial production.
  3. Produce records within 30 days of receiving the request.
  4. If you believe the request is defective or deficient, communicate the problem in writing to the person making the request.
  5. Have standard routines and protocols. These will reduce the chance of a request falling through the cracks. Log requests and have a specific person in charge of all record production.
  6. Do not make money on record production. If you are deemed to have charged too much, you will have problem.

If your practice follows these six points, you will avoid trouble. You have been warned.

Illustration: Lee Sauer

Leave a Comment

« Back