On January 3, 2023, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services announced its resolution of an investigation into a full-service diagnostic laboratory’s potential violation of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule’s right of access provisions. Although this resolution is the first of 2023, it follows a long list of resolutions since OCR’s focus on the right of access started and brings the total to 43 enforcement actions under OCR’s Right of Access Initiative. We anticipate that number may continue to grow this year.
Summary of Enforcement Action
A full-service diagnostic laboratory in Georgia must pay $16,500 and enter into a corrective action plan with OCR for failing to provide a personal representative with a copy of her deceased father’s medical records, which she requested in her capacity as the representative of his estate. The personal representative requested the records in July 2021, filed a complaint with OCR in August 2021 and ultimately did not receive the requested records until seven months later, in February 2022. HIPAA-covered laboratories must abide by the Privacy Rule’s right of access provisions and provide timely access to the requested records.
Personal Representatives
The HIPAA Privacy Rule generally treats a personal representative as the individual for purposes of the Privacy Rule’s rights and obligations with respect to health care matters related to the personal representative’s scope of authority. See 45 CFR 164.502(g). This includes the personal representative being able to exercise the right of access under 45 CFR 164.524. If the personal representative is authorized to make health care decisions for the individual, generally, then the personal representative also has the right and ability to access all of the individual’s protected health information absent a specific exception, such as the prevention of harm.
Practical Takeaways
The HIPAA Right of Access Initiative is focused on improving compliance with 45 CFR 164.524, so all covered entities should ensure that they are able to provide timely access to records or, if an exception applies, a timely denial notice to both patients and their personal representatives. Covered entities are encouraged to review policies and procedures regarding the verification and documentation of personal representatives and their authority to act on behalf of patients and train staff on how to identify and respond to requests by personal representatives.
Questions
If you have any questions or would like additional information about this topic, please contact:
- Stephane Fabus at (414) 721-0904 or sfabus@hallrender.com;
- Krystal Villarruel at (317) 429-3639 or kvillarruel@hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot give legal advice outside of an attorney-client relationship.
