Client Alert

Access Denied: HHS Hones in on Patient Data Access Issues

21 Jan 2020

Long before CCPA or GDPR created requirements for individual rights to access, correct, and delete data, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) enshrined the right of individuals in the United States to access their personal health records that are processed by healthcare providers, insurance plans, and their business associates.  Despite the fact that these rules have been in effect for more than 16 years, regulators have recently indicated that this will be an area of increased scrutiny and, accordingly, have become more active and vocal in going after violators.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) affirmed that data accessibility is an enforcement priority by launching its “HIPAA Right of Access Initiative” in 2019. OCR Director Roger Severino announced that OCR will “aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records.”  In the spring of 2019, OCR also published FAQs addressing how organizations can share regulated protected health information (PHI) with third-party software platforms at the direction of patients, while still remaining in compliance with HIPAA.

Under HIPAA, patients have a general right to access their PHI within 30 days of their request. This right permits patients to either inspect or obtain a copy of their PHI, or direct the covered entity to transmit a copy to a designated person or entity.  OCR has emphasized that such a right of access should be easy to invoke, empowering individuals to be more in control of decisions regarding their health and well-being.  Healthcare organizations subject to HIPAA must also establish policies and procedures to track and fulfill such access requests. See 45 C.F.R. § 164.524.

OCR’s commitment to its Right of Access Initiative was illustrated in its 2019 enforcement activity.  In December 2019, OCR announced a settlement with Korunda Medical, LLC, a Florida-based primary care provider. Despite intervention by OCR following an initial patient complaint, Korunda allegedly failed to provide patient records to a third party in an electronic format as instructed by the patient, and Korunda initially charged more than the reasonable cost-based fees allowed under HIPAA.  Korunda agreed to pay a settlement of $85,000 and undertake corrective actions including trainings for its staff and reviewing and revising its patient access policies and procedures.  In the OCR press release, Director Severino warned all healthcare organizations who “slow walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia.”

Earlier, in September 2019, OCR announced an $85,000 settlement and corrective action plan with Bayfront Health St. Petersburg of Florida for failure to provide timely access to prenatal health records. Bayfront had waited more than nine months after a request to provide the records to the patient (well beyond the 30 days required by HIPAA). This was the first settlement entered into by OCR in connection with its Right of Access Initiative.

Taken together, these enforcements teach a clear lesson: healthcare organizations should ensure that their policies and procedures for patient access to PHI are updated and effective, avoid creating unnecessary barriers to access, and properly train employees to respond to access requests.

OCR has made clear through its multiple published guidelines in this area that a key component of health care reform is “putting individuals ‘in the driver’s seat’ with respect to their health.” OCR’s 2016 combined guidelines on the right to access PHI address a range of possible questions about the topic, including verifying access requests, sharing PHI with third parties on behalf of the individual, the form and format for providing PHI to individuals, possible grounds for denying access requests, and most recently, updated guidance FAQs on charging reasonable fees for certain access requests.

Additionally, last year, OCR provided some clarity into how the access rights found in HIPAA intersect with health apps and APIs. The 2019 OCR guidelines outline various liability considerations for covered entities that fulfill individuals’ requests to transmit PHI to a third-party application. Considerations that covered entities must take into account when responding to such requests include the relationship between the covered entity and the app provider, the security of data transmission, and whether a business associate relationship exists between the covered entity and app provider.

With the advent of broader data privacy laws like CCPA (which also provide rights to access personal data generally for entities not subject to HIPAA) and the proliferation of health data aggregating software and APIs, we anticipate that OCR will continue to keep up its enforcement activity in this area.

To learn more, see the OCR press release and settlement agreement for the Korunda Medical case and information about the Bayfront Health St. Petersburg case.

OCR’s guidance and FAQs on “The access right, health apps, & APIs” (June 17, 2019) is available online here.

The OCR 2016 guidance on HIPAA’s Access Rights, including FAQs on charging fees for copies of records, is available online here.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.