Emerging Trends in OCR’s Right of Access Initiative and Implications for Business Associates

The U.S. Department of Health and Human Services Office for Civil Rights’ (“OCR”) 2021 enforcement actions started with a bang, with five Right of Access Initiative settlements in the first three months of the year. Under the Right of Access Initiative, OCR has aimed to support individuals’ right to timely access of their Protected Health Information (“PHI”)[1] and has targeted covered entities’ non-compliance with fulfilling HIPAA’s right of access requirements. While the emerging enforcement trends from this Initiative are particularly relevant for covered entities, they also have important implications for business associates, especially with respect to contractual obligations and liabilities under business associate agreements (BAAs). Below, we analyze these trends and implications and provide our recommendations for how business associates may best address their right-of-access obligations and ensure compliance.

Key Takeaways

It’s clear from OCR’s activity under its Right of Access Initiative that:

• OCR pursues enforcement actions against covered entities, big and small, across a wide range of sub-industries;
• partial compliance is not sufficient; entities must comply when patients’ direct access to their electronic PHI to third parties or risk enforcement; and
• entities should pay attention when OCR provides technical assistance regarding access requests. 

Further, while the right of access is a covered entity’s obligation under HIPAA, and one that a business associate is obligated to support contractually, we expect that the increase of enforcement actions will prompt covered entities to more closely monitor business associate compliance with right-of-access obligations under BAAs. Accordingly, business associates that maintain PHI in designated record sets should, among other activities described below, implement and/or review policies and procedures to respond to such access requests, to ensure they can do so in a compliant and timely manner.

Emerging Trends in the Right of Access Initiative

Since starting its Right of Access Initiative in 2019, OCR has actively pursued right-of-access enforcement actions, recently settling its eighteenth investigation. By way of background, the right of access under HIPAA generally requires HIPAA covered entities to provide individuals with access to their PHI that is maintained in designated record sets[2] either by or on behalf of the covered entity. Specifically, individuals have the right to obtain a copy of their PHI and/or inspect it, as well as the right to direct a covered entity, if it uses or maintains the individual’s PHI in an electronic health record (“EHR”),[3] to transmit an electronic copy of their PHI in the EHR to a designated third party of the individual’s choice.[4]

So far, OCR’s right-of-access investigations have involved covered entities of varying sizes and sub-industries, including:

• Hospitals;
• Primary care providers;
• Multi-specialty medical clinics;
• Private medical practices;
• Mental health care providers;
• Academic medical centers; and
• Non-profits.

In a majority of these cases, covered entities have settled potential violations of the HIPAA Privacy Rule involving their failure to provide individuals with a copy of their requested PHI within the required time frames. Monetary settlements have ranged from $3,500 to $200,000, and all settlement agreements have included corrective action plans, with compliance monitoring for 1-2 years.

Additional enforcement trends that have emerged from the Initiative include:

• Partial compliance is insufficient. Several of OCR’s settlements have involved covered entities who failed to provide the full scope of requested PHI to individuals, underscoring that partial compliance with the right of access is insufficient to avoid enforcement. For example, Dignity Health, dba St. Joseph’s Hospital & Medical Center (“SJHMC”), a large, acute care hospital with several hospital-based clinics, agreed to pay $160,000 and enter into a corrective action plan with two years of monitoring, to settle potential violations of the right of access involving its failure to provide a mother with a copy of all of her son’s medical records that she requested, though SJHMC initially provided some of the requested records.
• Right to direct copies of EHR to third party will be enforced. Several of OCR’s investigations have also involved covered entities failing to send a copy of an individual’s PHI contained in an EHR to a designated third party, suggesting that OCR views the third-party directive right as an important part of the right to access. For example, OCR entered into a settlement agreement with Sharp HealthCare, dba Sharp Rees-Stealy Medical Centers (“SRMC”), a California medical center with several hospitals, affiliated medical groups, and a health plan, in which SRMC agreed to pay $70,000 and enter into a corrective action plan with two years of monitoring, to settle potential violations of the right of access involving its failure to respond to a patient’s records access request directing that an electronic copy of PHI in an EHR be sent to a third party.
• OCR is responsive to complaints and will not provide technical assistance in the case of repeated violations. In all of its Right of Access Initiative settlements, OCR has initiated investigations based on its receipt of a complaint alleging that a covered entity had violated the right of access. Upon receiving such a compliant, OCR has often—but not always—chosen to provide technical assistance to covered entities to help them comply with the right of access requirements; however, it has not done so in the case of subsequent violations. For example, after receiving a complaint alleging that The Arbour, Inc., dba Arbour Hospital (“Arbour”), a provider of behavioral health services in Massachusetts, had failed to take timely action in response to a patient’s records access request, OCR provided Arbour with technical assistance regarding the HIPAA right of access requirements. After receiving a second complaint that Arbour had still failed to respond to the same records access request, OCR initiated an investigation and ultimately entered into a settlement agreement in which Arbour agreed to pay $65,000 and enter into a corrective action plan with one year of monitoring.

Implications for Business Associates

While to date, OCR’s Right of Access Initiative has only targeted covered entities, as covered entities are primarily responsible for responding to individuals’ requests to access PHI under HIPAA, the Initiative could prompt covered entities to more closely monitor compliance with business associates’ contractual obligations regarding access requests. To comply with HIPAA, business associate agreements (BAAs) require a business associate to make PHI available in accordance with HIPAA’s individual access rights requirements.[5] While this may simply require providing access to the covered entity, often, the parties may agree in the BAA that the business associate will provide access to individuals directly, particularly where the business is the only holder of the designated record set or part thereof. Similarly, to the extent that the business associate maintains PHI in an EHR for a covered entity, it may be called on to send an electronic copy of such PHI to a third party, upon an individual’s request.

Business associates, therefore, must understand and define what PHI, if any, they maintain in designated record sets, including EHRs, in order to comply with their BAA right-of-access obligations. Note that although EHRs and designated record sets may contain overlapping information, they are not identical. Moreover, while certain kinds of information—such as medical records and insurance information—are clearly part of both EHRs and designated record sets, business associates may require assistance from covered entities in determining what other information is included, such as other information that is created or consulted by health care clinicians in the case of an EHR, or other records that the covered entity may use to make decisions about individuals in the case of a designated record set.

In addition, business associates must be conscious of required timeframes for responding to access requests, in order to comply with their BAA obligations. Currently, a covered entity must respond to an individual’s access request within 30 days, or 60 days if it utilizes a one-time, 30-day extension; however, under the current NPRM, OCR has proposed cutting this timeframe in half to 15 days, with the possibility for one 15-day extension. Covered entities may therefore obligate business associates to provide PHI to them within even shorter timeframes under their BAAs.  

Additionally, due to the regulatory scrutiny a covered entity may expect to receive from OCR under the Initiative, in the event that a business associate fails to respond to an access request within the designated timeframe in its BAA, the covered entity may also seek to enforce any breach and/or audit provisions of the BAA to address such a failure. The covered entity may also seek to shift liability for right-of-access noncompliance to the business associate, to the extent it has not already done so, through an indemnification provision in the BAA.

To avoid contractual liability and oversight, business associates should review their right-of-access obligations under any applicable BAAs, to determine:

• Whether the business associate maintains PHI in any EHRs or designated record sets, and if not, seek to include limiting language regarding the access provision(s) in its BAAs;
• How the business associate is required to make requested PHI available (i.e., to the covered entity, the individual, or any requested third parties);
• What the applicable reporting periods are (i.e., within how many days must PHI be made available); and
• Whether the business associate must comply with any format or reporting specifications (i.e., is there a specific address of the covered entity to which PHI must be sent and will the covered entity only accept PHI in a particular form).

While not required by HIPAA, to ensure compliance with their BAAs, business associates should also implement policies and procedures to ensure compliance with their right-of-access obligations, addressing:

• Contents and locations of any EHRs and/or designated record sets it maintains for a covered entity;
• Monitoring channels that may be used to submit access requests directly to the business associate;
• Forwarding of requests to covered entities, in accordance with contractual obligations; and
• Acknowledging receipt of and responding to requests, in accordance with contractual obligations and HIPAA requirements.

Finally, business associates should also monitor their compliance with their internal policies and procedures, and review and modify these policies and procedures periodically to account for any changes in law, new BAA obligations, or process improvements.

Republished in the September 2021 edition of Pratt's Privacy & Cybersecurity Law Report.

[1] See 45 CFR 164.524.

[2] A designated record set is a group of records maintained by or for a covered entity that comprises:

• Medical records and billing records about individuals maintained by or for a covered health care provider;
• Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
• Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals, including records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

[3] An EHR is an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

[4] In 2013, the Omnibus Rule modified provisions of the Privacy Rule and the HITECH Act to broaden the right of access to include the right of an individual to direct copies of their PHI contained in designated record sets to third parties, regardless of format (e.g. paper and electronic health records). In 2016, OCR issued guidance, regarding the rates that an entity can charge for an individual’s access to their PHI and stated that this rate limit also applied to when an individual directed such access to a third party (e.g. a law firm, an insurance company) to receive a copy of such records. In 2020, the D.C. Circuit vacated this expansion of the right of access, regardless of format, and OCR’s price limits when individuals directed access to their designated record sets to third parties, with its decision in Ciox Health, LLC v. Azar. See 435 F. Supp. 3d 30 (D.D.C. 2020).

[5] See 45 CFR 164.504(e)(2)(E).