AHLA's Speaking of Health Law
AHLA's Speaking of Health Law
New OCR Enforcement Actions Emphasize Continued Focus on HIPAA Right of Access Initiative
Wes Morris, Senior Director, Consulting Services, Clearwater, speaks with Valerie Breslin Montague, Partner, Nixon Peabody LLP, about OCR’s recent enforcement actions and continued focus on HIPAA’s Right of Access Initiative. They discuss what the Right of Access initiative is and why it’s important and some of the themes of OCR’s recent enforcement actions. Valerie recently authored a Briefing on this subject. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for ALA comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Their solutions include their proprietary software as a service based platform, IRM Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from their deep team of information security experts. For more information, visit clearwater compliance.com.
Speaker 2:Good morning, I'm your host, West Morris with Clearwater Compliance. Joining me today is Valerie Monague, partner with Nixon Peabody. Valerie, we've talked before about the subject we're gonna be speaking about today, which is the access rights under HIPAA and some of the, uh, issues going on with that initiative. Um, so it's great to talk with you again. Um, would you take a moment at, at the start of this and just tell us what is it that this access, uh, initiative is all about and why it's important to keep it at the forefront?
Speaker 3:Sure. Well, last, it's, it's great to speak with you again and I, I do think the, um, access initiative is, is an important reminder to cover entities that, you know, they, they do have a requirement to provide access to individuals or the individual's personal representatives of the, uh, protected health information that they hold. And we can talk through what the specifics of that are, but I know OCR created the initiative in order to address some problems. It was seeing either with access denials or with inappropriate fees being charged, just sort of a disregard for compliance with this initiative. And, um, you know, as we've seen over the last few years, they, they seem to be active in enforcing it.
Speaker 2:Yeah. Um, and, and in fact, what spurred this particular conversation today?
Speaker 3:Well, um, as, as some of our listeners might know, uh, a few months back, OCR produced, uh, or released, uh, about 11, I think it was 11, um, enforcement actions. And a couple months before that there was, um, a previous two. So there's been, I believe, 13 so far this year. Uh, so I think that, you know, that sort of renewed the conversation on this. It gave us new insight as, as to what the government's looking at and, and some more reminders for covered entities as to their obligations in this area.
Speaker 2:So, 11 all in one day, if I recall right. Which was kind of amazing, uh, to see them all hit at one time. What do you think the impact was of OCR choosing to, uh, publish all of those in one fell swoop, as it were?
Speaker 3:Yeah, it does seem like they've been batching the release of these types of enforcement actions. And as I said, there were, you know, two release before that, earlier this year. There were another five, um, at the end of last year. So I, you know, I think that it maybe reduces the enforcement fatigue when you're seeing sort of one off, um, decisions and one off settlements being released. And I think it also, um, you know, gives more weight to some of these. Um, you know, what, what I'll call, you know, a smaller enforcement action. It may be just one individual that was impacted. It may be a very small financial settlement with the organization. You know, people in the industry may not see that as catastrophic, but when it's grouped with 10 similar and, and some that may have, you know, more of a financial impact or more of a practical impact for the organization, then I think people may take more note.
Speaker 2:Yeah. Um, so I, I, I agree with you on that point. I think the, the fact that they release them all at once, like that really does raise the visibility, the awareness somewhat, uh, and it, and it keeps it at the forefront to, uh, to let the public know that this is not something that ended in the last administration. It is continuing, even though this started in the previous administration. Um, let's, let's go down the path a little bit, if we could of, uh, setting the stage. Many of our listeners will know what this right of access initiative is all about and what the rights right of access is about, but I suspect there may be some who won't have the same level of, uh, of awareness around it. So would you take a, a, a few minutes and talk about what the right of access is about under the HIPAA rules?
Speaker 3:Sure. I would be happy to. So the basic ground rule for covered entities is that, except for psychotherapy notes, which are, uh, you know, personal notes of therapy sessions held separately outside of the medical record by a therapist. And except for information that's specifically compiled in anticipation of litigation, the organization is required to provide either the patient or their personal representative with access to either inspect or obtain a copy of the protected health information that they hold in a designated record set, or both, cuz you, they could, they may ask to both inspect and to receive a copy. Um, there are a few very limited scenarios under which a covered entity can deny access. Um, one is very specific to research, so it would be related to protected health information they have that's created during the course of that research. Uh, it must be, the request must be being made while that research is still in progress. And the individual must have been informed at the start of the research when they consented that this, that, that they will not have access to their protected health information during that period. The second exception would be if a licensed healthcare professional, when they're exercising their professional judgment makes a determination that the access that's being requested is reasonably likely to endanger the life or safety of the requester or of another person. And there's also a limited circumstance where if it's, if there's a personal representative involved or protected health information that references a third party, if there, if there's reasonably likely to cause substantial harm, um, I can give a quick overview on the, the timing requirements as well, if that makes sense.
Speaker 2:Yeah, that sounds good.
Speaker 3:Okay. So, so the, the main requirement for timing, the basic requirement is that the covered entity has a 30 day window from its receipt of the request. And OCR has clarified in its guidance that the, it considers that to be an outer limit and it really encourages covered entities to respond to access requests quicker than that if possible, which I think is also consistent with the information blocking rule, um, that, that came out a bit back. And they are able to request or to, to, uh, have an extension of an additional 30 days if they notify the individual, the requester within that first 30 day period and tell them why they're requesting the delay and also the expected date on which that they will act on that request.
Speaker 2:So it's not just that you can say, Well, we didn't get it done in the first 30, so we'll take another 30. There are actions that have to be taken in that first 30 day window, including notice to the individual to, to let them know why or, or what to expect. Yeah,
Speaker 3:Exactly.
Speaker 2:Um, you talked about there there two, two terms that you used in, in that sort of overview that I wanna touch back on for a second. One is the designated record set and the other is information blocking. You talked briefly about this, the, the, that this information blocking rule, that's probably a subject for another day, but information blocking starts from the designated record set, uh, in terms of its, its definitions and coverage as well. So the designated record set has been, in my mind, the subject of some misapprehension over time, uh, regarding what is in that record set. Would you be willing to talk a little bit about what the designated record set's all about and what is releasable to the individual from that record set?
Speaker 3:Sure, absolutely. So for a healthcare provider that designated record set means medical or billing records that either the organization, the healthcare provider holds or that a business associate holds on their behalf. Mm-hmm.<affirmative> when that information is used or could be used in whole or in part to make decisions a about the individuals. So about the patients, um, it could be healthcare decisions, it could be decisions related to financial decisions related to payment. Um, so it's, it's actually pretty broad. Um, if, if a healthcare provider is holding patient information and it uses that information, whether it received it from the patient, whether it, you know, provided the treatment that, you know, produced the information, whether it received it from another treating provider, whether the patient brought the records, you know, to the office and, and gave them to the treating provider, um, as long as that information could be used to make a decision about that patient, it would be included within the designated record set.
Speaker 2:Right. And that misapprehension that I was speaking of comes directly from what you just said, records from another provider. We've seen it in the past, uh, where, um, there had been some, some erroneous guidance given at some point that seems to still be relied on by some people that says that if the records were created by someone else, they are not to be released from this new provider's record set. And that is an in error, Right. Um, they, they are releasable just like every other record because they were used to make decisions about this patient.
Speaker 3:Yes, that's correct. Yeah. Yeah. The only thing I would add to that is there may be state laws at play with respect to certain requests for phi, but typically, you know, unless there's extremely unusual circumstances, the state is going to permit the individual to have access to their own information. Now, I think where you may see restrictions on information you received from a third party would be if you know you've got an attorney requesting it or you know, another third party that's not the patient, then you may be justified in, in denying that request. But under the right of access, uh, you know, if it's permitted under HIPAA and it's it's being requested by the patient or legally authorized representative, it's likely permitted state law as well.
Speaker 2:Right, Right. Because, you know, as we've always said, HIPAA is the, and state, uh, it, what was the, uh, algorithm? If the state law gives greater rights to the patient or greater restrictions on the covered entity, then the state law would be the, uh, the law that would be most generally followed. But if HIPAA gives greater rights or greater restrictions to the covered entity, then the HIPAA law would be the one that would, would supersede and be the, uh, the law to be followed. It's kind of interesting how all of this comes together when I think about these issues. Um, and, uh, and one of the things that, uh, that I've noticed is, is that in these cases that we, um, are talking about, there were some general themes, um, and what, what stood out to you as one of the biggest themes in these cases that you would want to highlight or talk about with the, uh, with our audience?
Speaker 3:Well, I would say there, there's a number of, you know, I think important lessons that can be learned. I, I think, you know, one that is the most, it was pretty interesting to me that that jumped out as I reviewed the latest set of enforcement actions was how in, in a few OCR really called out, um, how long it was taking these organizations to provide access. I think in, in one they referenced 618 days, and another, they said 564 days. So I mean, they were very specific as to the timeline as to how long it took. And again, as we move into this information blocking world, I, I think that's key. And I think it's just a reminder to organizations that, you know, you really need to be efficient and streamlined in responding to these so that, you know, you don't have those, those factual scenarios.
Speaker 2:Right. So 614 days or whatever that number was just as an incredibly long time. I mean, we're talking well over a year, and if I read correctly in at least a few of the cases, uh, the OCR used each one of those days in the calculation of their settlement agreement or civil money penalty in a couple of cases. Is that right?
Speaker 3:Yes. I mean, I think that it's, it's, it's clear that, you know, that can have a financial impact on your organization. And, and it can be, I mean, as, as, as you know, the civil money penalties can, can be incurred day by day depending on what the con conduct is. So I think it's really important to make sure that your, that your organization is taking these requests seriously, that it's taking any complaints seriously. It's taking OCR outreach seriously.
Speaker 2:Yeah. Yeah. There were a couple of cases that, uh, had, um, personal representative situations involved. Would you speak about that theme a bit?
Speaker 3:Sure. I would say this is a continuing theme from the prior rounds of enforcement under the right of access. You know, I think the personal representative access request scenarios can be really tricky for organizations. Um, you know, you, you, you wanna balance getting it right and providing the information to the correct party who's authorized under law to receive that with, you know, providing access in a timely manner and, and getting the information over, um, to, to the person who's requesting it. And I think that, you know, you're able to verify the identity of the request, or you're able to ask, um, a personal representative for documentation of their power of attorney or whatever it may be. Um, but you need to be reasonable in that, and it, you can't use it as a tool, um, inadvertently or inadvertently to delay access. So it's, it's really important to have a good process in place. Um, it's also when we're dealing with minors, as, you know, that can get really sticky too, because there are certain services they can consent to and others that they can't. So you may, you may have a partial denial, partial provision of access scenario, and you wanna be sure you're clearly, you know, where things stand and you're, you're responding in the way you're responding.
Speaker 2:And this is for a, it would probably a good idea to say, and these are the times when you want to consult counsel<laugh>
Speaker 3:<laugh>. Absolutely. I mean, I think you wanna, you know, know the hierarchy within your organization, whoever's processing these requests and, you know, raise it with the privacy officer, the compliance person. And if, if it gets, if it's, it's too tricky and something nuanced or something new that the organization hasn't handled before, then I think it might require a call to council.
Speaker 2:Right. Well, that, yeah, that was kind of my point. There was many, many situations. We, you know, we've been around the field for a while. We know the norms and, and the things that happen regularly, but there are those cases where it's just something completely out of the norm. And, and, you know, definitely, especially with things like durable powers of attorney and healthcare proxies and, and some of those sorts of, of, uh, documents, uh, that can really establish a whole host of issues. If you don't know what to do or haven't really considered, of course, the best thing is to have it in your policy according to your laws of your state. Right. Uh, that says, this is, this is what we will do when we receive X document. But the really tricky ones, you know, oftentimes they don't, they don't show as well as they should, and we don't, we don't know what we don't know until they come up, I think is the case there. Um, one of the things that I also found interesting, uh, was that, uh, in, in one case there was, there appeared to be a misunderstanding of what was allowable and it was blamed on a failure in training. What are your thoughts?
Speaker 3:Yeah, I mean, I, I think, you know, you're only as, as good as your weakest link, right? So I, I think that it's important, especially given the nuances surrounding this issue, especially given that you may have a, a more junior person at the organization that initially receives these requests that you wanna go on, go beyond the basic, you know, HIPAA module of training. You wanna train individuals for their particular roles, and, you know, you wanna train them on not only the HIPAA requirements, not only your organization's policies and procedures, but, you know, we now have many, many organizations that are operating across state lines. And the fees that may be charged in Illinois might be different than those that are charged in New York or California, or, you know, Utah. It, it really just depends. And if you've got a minor in one state who's able to consent to a procedure, well that might not be the, the case in the neighboring state. So I think it's really important for those who are in these roles to have a really solid understanding of the requirements and also who to ask for within the organization for help.
Speaker 2:Right. Yeah, absolutely. Um, I also noticed that some of these cases involve involved multiple situations. Would you talk a bit about what you observed and the multiple requests or multiple, uh, complaints arena?
Speaker 3:Sure. Um, I think there's a, a couple examples of each and this batch of, uh, of 13 that came out this year. Um, so we saw a couple of settlements where, um, a patient had, had complained to OCR more than one time on the same, you know, scenario on the same request for information. Um, so I think it's important there, you know, sort of my takeaway there is, you know, can there be something done at the, at the covered entity level when you have, when you, when you become aware of a disgruntled patient or an issue with access to resolve it at that level. And also, I mean, and this can, we can get deeper into this conversation as well, when you do have a complaint to OCR and they, they reach out to you, make sure you're resolving it the first time. You know, don't, don't let them give you guidance and, and disregard it. You know, take advantage of the opportunity, resolve the issue, and, and move forward as an organization rather than, you know, disregarding and, and not taking OCRs guidance, um, and, and opening the door for the patient to reach out again. Right. And I would say the other side of that is, is, you know, uh, the, the enforcement actions that we saw that dealt with multiple requests, you know, you had a patient who requested their record annually, and, um, you had a patient who, um, requested multiple times in different forms, and it took, you know, a long time in both scenarios. Um, again, you wanna make sure you have a clear intake process. You wanna make sure that the expectations as to when the response is going out are communicated to your workforce. Um, and, and that really goes to communication and training.
Speaker 2:Yeah. Training, training, training, training.<laugh>, I've, I've been beating this drum for all of the years that I've been in this field, that training is the most critical piece. And it can't just be, this is hipaa, you know, It, it really does. I think what you said is, is really pertinent, and that is, is that you've got to train the people to their role mm-hmm.<affirmative> and what role is most likely to be involved in this kind of a situation, first and foremost, release of information or records. Uh, so their level of knowledge and understanding has got to be very high about these kinds of situations. Yeah. Um, also something that you mentioned there with these, with these cases, if I recall, there was at least one that, uh, there, that there was technical assistance given on the first call, which means that, uh, well, what does technical assistance mean as opposed to settle, um, agreements and investigations? What's the difference?
Speaker 3:Yeah, I mean, I, I think technical assistance is what I would say is kind of what we don't see. You know, it's, it's all the times that OCR received a complaint, determined it was worthy of investigation, reached out to the organization, asked questions, received feedback, and, you know, worked with the organization to correct the issue. And then, you know, most o more often than not moved on before, you know, there was any, any sort of public awareness before there was any sort of, you know, financial settlement or corrective action plan. So I think it's, it's more OCR providing guidance and instruction on how to resolve an issue that it, it learned of, um, without having to, to use enforcement.
Speaker 2:Right. Right. And, and we know that they do that, and there are, I don't recall the exact numbers, but it's quite a few every year. And they, they publish this on their website of how many technical assistance cases were, were done in a given year. Um, you know, like any other organization, I think they would prefer to solve it at that kind of a level before we get to getting into settlement agreements or civil money penalties. But that sort of takes me right into that subject. Um, settlement agreements and civil money penalties. First, what's the difference for those folks who may not really understand what we're dealing with there?
Speaker 3:Sure. So, uh, civil money, money penalties essentially are, you know, OCRs regulatory hammer that can be imposed for failing to comply with the hippo regulations. And those amounts will vary greatly depending on the nature of what happened, depending on whether the organization was acting with knowledge, with malicious intent, uh, you know, the, the harm involved is a factor. The number of individuals impacted us, obviously a factor. So, I mean, I think the, the, the highest civil money penalty we saw in the right of access, sort of before the initiative, but, but regarding the failure to provide access was a 4.3 million penalty, um, for both the failure to provide access and also the failure to cooperate with OCRs investigation of that issue. So, you know, the ones we've seen recently are obviously much smaller dollar amounts than that, but, you know, it can add up quickly depending on the nature of the conduct. Um, on the flip side, a settlement agreement or a corrective action plan is, is sort of what it sounds like. It's, it's, you know, OCR has identified an issue, they've worked with the organization, you know, technical assistance didn't work out or something, you know, more significant where enforcement was warranted. And they determine that a financial settlement is, is involved. And then the corrective action plan is the commitment of the organization to resolve the identified issue, to supplement their HIPAA compliance program, essentially. So that would, it's typically, you know, providing access, you know, with respect to these types of issues, getting the information to the requester, uh, revising policies, providing training, and then there's a lot of reporting on all of that and other elements as well. Back to ocr.
Speaker 2:So the bottom line is, is, is that if you get into a corrective action plan, you may have a lot of work to do to prove that you've made the changes over whatever period of time the, the corrective action plan is for. Um, I've seen'em for as short as a year, as long as three years. Do you see anything different?
Speaker 3:Yep. That, that's what I see as well. And I think it's really important. Cause I think a lot of people focus on the financial settlement, and if you have a, you know,$10,000 financial settlement, maybe that's not as scary. But when you think about a, a two year corrective action plan that's organization wide, that involves a lot of reporting back to the government, um, that involves a lot of personnel time, likely the time of outside council or consultants, you know, that's, that's much, that's much different. And that comes at a cost as well.
Speaker 2:Yeah. Yeah. In fact, sometimes we don't think about the cost of, of the corrective action that we have to undertake and then prove. Um, I, I did some research a while back on one case, which had a fairly substantial, this was not an access case, but it had a fairly substantial, um, um, financial settlement associated with it, like three or four or 5 million, something like that. And, and, you know, all of the news articles focused on that. Well, when you really went in and looked at that case and started looking at all of the other costs associated with it, the, the three or$4 million that ocr uh, imposed was a pitance in comparison, uh, that we were talking over a hundred million dollars by the time all was said and done. I mean, it was a big case. Uh, and you can look it up for yourself if you're really interested. You'll find it pretty quickly just by what little information I've given. I don't wanna highlight too much of that, but what did you, what did you notice from the types of providers that were involved in these cases? These 11 or the 13?
Speaker 3:Yeah, I mean, similar to the, the enforcement action, we've seen, you know, before 2020 to, it was, it was a broad range, You know, it went from skilled nursing and rehabilitation facility, large health system, dental practices, smaller healthcare providers. So it, it really, it wasn't in one particular sub-specialty or one particular type of healthcare provider, which is, is is probably intentional. You know, I think they want the industry, I think OCR wants the industry as a whole to understand that this is, is an obligation across the board. It's not just for the large hospital systems.
Speaker 2:Right, Right. So at the end of the day, this is still an important topic. It is still being actively enforced and managed by ocr. Uh, it has not lost a lot of the, um, it, you know, sometimes when administrations change, you will also find a change in focus, but we haven't seen that happen with this one. Uh, so there's, there's a lot of attention still being paid. To wrap this up, what would you say, um, as, as sort of the final perspectives that you'd like to offer, uh, to our listeners?
Speaker 3:Yeah, I, I completely agree with that. And, and I would say that organizations should take the time to be proactive about this, to really make sure that it's, it's personnel and it's workforce, understand their obligations within the organization as well as, you know, under the applicable law. And to, to put it, you know, easy to use process in place, both for external outreach to requesters, external outreach to ocr, and also internal communications as well. Because again, with some of these trickier access requests, it may not be just one person involved in responding. And the other thing I will say is just, you know, clear communications with the patients. If there's a, you know, request for documentation on a power of attorney or a request for, you know, a confirmation of identification, be clear on that. And if, if, you know, if the patient doesn't respond, maybe there's a follow up, maybe what, you know, I would, I would challenge organizations to see what tools can they put into place to avoid patients going to complain to ocr,
Speaker 2:Right? Yeah. That's what you want to try to do, if at all possible, is solve it in your own house and not let it go. I know in, in our notices of privacy practices that we, we, we list the, uh, address or, or, uh, contact details for, uh, OCR if somebody wants to complain. But I've always said, don't make that the first thing that they see. Make that one of the choices. Focus on giving contact information for your privacy officer, uh, for your team of whoever, and ask that they come to you and try to resolve it there first. Um, oftentimes you can avoid a lot of pain if you can just get people to reach out to you, tell you what their concern is, and solve it there, rather than letting it become something that is a formal complaint to the federal government. So, Well, this has been a, an interesting, uh, half hour for us. I've enjoyed talking with you again, Valerie. Thank you very much for joining us. Any final words to close us out?
Speaker 3:Thank you for, for inviting me and, and thank you to a, it's always a, always a pleasure to speak with you. Us.
Speaker 2:All right. It's a pleasure to speak with you. Um, on behalf of Nixon Peabody, Valerie Monague, myself and Clearwater, we thank you again for, uh, listening to us about these important subjects. Have a great rest of
Speaker 1:Enjoy, Enjoy this episode. Be sure to subscribe to ALA speaking of Health Law wherever you get your podcasts. To learn more about ALA and the educational resources available to the health law community, visit American Health law.org.