Even amidst the chaos of a global pandemic, this year multiple U.S. Department of Health and Human Services (HHS) agencies have dialed in on promoting and enforcing patients’ rights to access their health information.

In just the past month, HHS’ Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), settled five costly investigations with HIPAA-regulated parties for potential violations of the HIPAA right of access provision.  Under HIPAA, individuals have a legal, enforceable right to view and obtain copies, upon request, of the information in their medical and other health records maintained by a HIPAA covered entity, typically a health care provider or health plan, with limited exception.  Individuals generally have a right to access this information for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created, whether the information is maintained in paper or electronic systems onsite, remotely, or is archived, or where the information originated (e.g., whether the covered entity, another provider, or the patient).

OCR’s five recent settlements, together with two 2019 right of access-based settlements, each ranging from $3,500 to $85,000 and accompanied by corrective action plans and one to two years of close OCR monitoring, demonstrate a significant uptick in furthering the agency’s HIPAA Right of Access Initiative.  OCR launched the HIPAA Right of Access Initiative in 2019 promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.  Following through with this promise, each of OCR’s Right of Access Initiative settlements in 2019 and 2020 have stemmed from OCR investigations prompted by a patient’s (or their personal representative’s) complaint that a HIPAA-regulated party failed to respond to a request for access to their medical records in compliance with HIPAA.  According to OCR Director Roger Severino, in addition to being compliant with the law, providing patients with their health information also lowers costs and leads to better health outcomes.

Keeping with similar objectives, earlier this year HHS promulgated companion interoperability and information blocking final rules that transform the way in which certain health care providers, health information technology (IT) developers, health information exchanges and networks, and health plans share and provide access to patient information.  The two rules, issued by HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), implement interoperability and patient access provisions of the 21st Century Cures Act (Cures Act) and support the MyHealthEData initiative, designed to allow patients to access their health information electronically through the application of their choosing.  For example, the ONC rule prohibits health care providers, health IT developers, and health information exchanges and networks from engaging in practices that are likely to interfere with, prevent, materially discourage, or otherwise inhibit the access, exchange or use of electronic health information (also known as “information blocking”).  The ONC rule also requires regulated actors to respond to requests for electronic health information in the content and manner requested, with certain exceptions.  The CMS rule requires CMS-regulated payers to implement and maintain a secure, standards-based Patient Access API (using Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) 4.0.1) that allows patients to easily access their claims and encounter information, including cost, as well as a defined sub-set of their clinical information through third-party applications of their choice.  The ONC rule has similar standards requiring health IT developers that develop or offer one or more health IT modules or products certified under the voluntary ONC Health IT Certification Program, to use secure, standardized APIs for patient data exchange, among other certification requirements.  Central to the objectives of both ONC’s and CMS’ rules are the promotion of electronic access, exchange, and use of health information moving the national healthcare system toward greater interoperability, and the strengthening of patient’s accessibility to their own health information, in an expeditious and convenient manner.

Enforcement of ONC’s and CMS’ new health information access, exchange, and use standards promulgated in the interoperability and information blocking rules is fast approaching and, depending on which of the two rules an entity is regulated, ranges from civil monetary penalties to exclusion from participation in federal health care programs and other appropriate “disincentives” that have not yet been identified by the agencies.  That said, certain compliance timelines with the rules have been somewhat modified due to the COVID-19 pandemic.  In April, ONC and CMS, in conjunction with the OIG, issued a joint statement announcing a policy of enforcement discretion to allow compliance flexibilities regarding the implementation of the final rules in response to the COVID-19 public health emergency.  The agencies indicated that they would continue to monitor the developing public health emergency to determine if further action is necessary.  Since then, CMS has further extended enforcement of certain elements of its rule and, according to the Office of Management and Budget, compliance dates and timelines for ONC’s rule may also be further extended due to the pandemic.

For questions regarding compliance with patient access rights and requirements under HIPAA and ONC’s and CMS’s interoperability and information blocking rules or this post, please contact Nancy Halstead, Vicki Tankle or any Reed Smith attorney with whom you work.