Patient Right of Access: Six lessons learned from some of OCR’s most recent civil monetary penalties [Sponsored]

Patient Right of Access: Six lessons learned from some of OCR’s most recent civil monetary penalties [Sponsored]

This article is published in sponsorship with Ciox.


By Elizabeth A. Delahoussaye, RHIA, CHPS

Ease of access. It’s what every patient deserves when it comes to their protected health information. It’s also what’s legally required of covered entities under HIPAA. Yet many healthcare providers—particularly small facilities, physician practices, and behavioral health providers—continue to make mistakes, resulting in thousands of dollars in civil monetary penalties (CMP) from the Office for Civil Rights (OCR).

The good news is that HIM professionals can play a critical role in achieving HIPAA compliance. By sharing their knowledge and staying on top of OCR investigations, they can help their organizations avoid costly fines. However, it’s not just about the fines. Providing ease of access is also about giving patients what they need and want. Organizations that provide easy and timely access can actually increase patient satisfaction.

Following are six lessons learned from recent OCR CMPs throughout 2020 and the first quarter of 2021 that HIM professionals can leverage to advocate for compliance ROI processes within their organizations.

Lesson #1: Perform due diligence on any technical assistance that OCR provides.

What OCR found: Various providers (i.e., a nonprofit hospital, three psychiatric clinics, a psychiatric hospital, an otolaryngology practice, a primary care practice, and a medical center) violated individuals’ right of access by continually refusing access to records even despite the technical assistance from OCR they each received.

CMP: Ranged from $3,500 to $70,000

Advice: Do not ignore OCR’s technical assistance. It’s there to ultimately help providers comply with HIPAA and avoid the need for a more in-depth OCR investigation and potential CMP. The whole point is to help organizations rectify the issue that initially prompted the OCR complaint. Keep in mind that compliance may or may not include actually releasing the record. There are eight exceptions to information blocking that may apply. If you believe you can deny access based on one of these exceptions, you must explain your rationale to OCR. You could also contact the OCR investigator listed on the technical assistance letter you received to explore the issue further or try to understand why you received the technical assistance to begin with. What does OCR see that you don’t? What are your concerns about releasing the record, and are those concerns valid? Another strategy is to contact your own legal department to determine whether there is a valid request. Finally, contact the requester who filed the complaint with OCR to determine exactly what information they want and why. Sometimes you can sort out the confusion within a few minutes.

Lesson #2: Provide the correct information to the patient’s representative.

What OCR found: A behavioral health group failed to provide a timely response to a request from a personal representative seeking access to her father’s medical records despite multiple requests.

CMP: $70,000

Advice: Remember that patients can direct their information be released to any third party, including a personal representative or other family member. If requisite documentation is absent, contact the requester directly to obtain that documentation rather than continually denying access.

Lesson #3: Provide staff with access to the designated record set.

What OCR found: A hospital failed to provide fetal heart monitor strips to a patient, a second hospital failed to provide actual diagnostic films (including x-rays, MRI, and CT scan images) to a patient, and a third hospital failed to send the patients records (including their billing information) to a third party—all despite multiple requests.

CMP: $85,000, $100,000, and $75,000 respectively

Advice: Remember that the designated record set doesn’t only include what’s in your EMR system—it includes everything you use for treatment or care, including records in other systems. More specifically, OCR defines the designated record set as follows:

  • Medical records and billing records about individuals maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

The designated record set is truly HIM’s ‘Achille’s heel’ so to speak because we don’t always know the totality of information that’s available and where it’s stored. Still, that’s not an excuse. Consider making a list of all of the systems that ancillary departments use, and identify who has access to these systems. Is it only the ancillary personnel? If so, who is the contact for all ROI requests? Update this list quarterly, and pay close attention to these trouble spots: Radiology, fetal heart monitoring, and itemized billing. In addition, keep in mind that if a patient keeps asking for information, chances are likely there’s a reason. For example, they might continue to ask for diagnostic films if the organization continues to provide summary reports. Don’t assume the patient made a mistake in asking for films because they don’t have the ability to read the films themselves. They may intend to take those films to another provider for a second opinion, or perhaps they received care while traveling and wants to coordinate care locally. One way to avoid confusion is to differentiate between reports and films on the request form so patients can deliberately check one or both boxes. If you’re not the custodian of the films, let the patient know who is and how they can request them.

Lesson #4: Pay attention to form and format.

What OCR found: A medical center failed to forward a patient’s medical records in electronic format to a third party despite repeated requests.

CMP: $65,000

Advice: Remember, OCR FAQs are very clear: The patient has a right to their information and can request it in an electronic format, if feasible, the organization must comply. For example, if the patient requests their information on a floppy disc in a DOS format, this is not feasible. Contact the patient, and determine an agreed-upon format.

Lesson #5: Pay attention to timeliness of access.

What OCR found: A health system failed to provide a patient with access to her medical record until five months after she requested. This same system also failed to provide a different patient with access until more than six months after they requested it.

CMP: $200,000

Advice: Organizations are permitted 30 calendar days to respond to a request for information. They’re also permitted a 30 calendar-day extension, if needed, but patients must receive notification of this extension and why. Oversight is critical—including oversight of any business associates managing the ROI process.  Ensure you have regular conversations with your staff or vendor, and review reporting for any outlying requests that are about to hit the 30-day mark.

Lesson #6: Understand how to use denial of access.

What OCR found: A provider inappropriately denied a patient access to her medical records.

CMP: $15,000

Advice: Take the time to review OCR’s guidance on ‘grounds for denial,’ and keep in mind that even OCR states there are limited circumstances in which these denials should occur. OCR has provided various FAQs on this topic as well. If there are valid reasons for denial, be sure to communicate that information clearly in writing to the patient and OCR.

Lesson #7: Ensure your facility forms are clear.

What OCR found: A nonprofit organization failed to provide a clear request form that notified the patient it did not have access to clinic records.

CMP: $160,000

Advice: OCR obviously views unclear forms as a barrier to access, and it’s not afraid to impose a hefty fine. If you use a patient right of access form, is it clear? If your health system includes more than one facility, ask the patient to specify the facility from which they’re requesting information. If there are clinics that handle their own ROI, you need to make this clear—that is, that the patient must go to the clinic to get the information. Oversight of these forms is important particularly during times of mergers and acquisitions so patients clearly understand from which entities they are requesting information—and what information they can expect to receive.

Lesson #8: Communicate with the requester.

Perhaps the most important lesson of all is that many of these cases could have been cleared up or avoided entirely if the organization had simply called the patient or other requester. It only takes a few minutes, and if doing so means avoiding a complaint or fine, those minutes are well worth it.

How an ROI vendor can help

There are several ways in which an ROI vendor can complement and enhance an organization’s compliance. Consider the following:

  1. If you get an OCR complaint, an ROI vendor is likely familiar with the terminology and state and federal regulations that OCR wants you or cite to use when responding to the patient’s complaint. The goal? Potentially lessen the CMP or even make it go away.
  2. An ROI vendor is a subject matter expert that can help you identify which actions could potentially become a barrier and hinder patients having ease of access to information.
  3. An ROI vendor can help improve patient satisfaction by providing tools that enable ease of access and timely access to protected health information.

Organizations that focus on improving their ROI processes not only avoid costly OCR fines—they also move the needle on the patient experience. Patient right of access is ultimately about patients—ensuring they can request and receive timely access to their information. Doing what’s best for the patient should be the driving force. When organizations do what’s right for the patient, chances are likely that they’ll be complaint as well.


Elizabeth A. Delahoussaye is chief privacy officer at Ciox Health.

Ciox’s leading clinical data platform empowers greater health by simply and securely connecting healthcare decision makers with data and hidden insights in patient medical records. Learn more about Ciox’s technology and solutions for release of information, clinical coding and data abstraction at