By Linda Kloss

On September 9, 2019 the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first monetary enforcement action regarding the rights of patients to receive copies of their medical records.  Sadly, we’re all too familiar with the too long list of actions following breaches of health information.  In fact, OCR levied over $28 million in fines for 2018 breach actions.  Now, Bayfront Health, St. Petersburg, FL became the first covered entity to be fined for failure to comply with medical record access requirements.   

Earlier this year, OCR announced its initiative to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.  Empowering patients is one of four key strategies for HHS and access to information is a key tactic.  HHS is advancing access through its policy, standards, and enforcement levers. Patient access is a right ensured by the HIPAA Privacy Rule.  However, based on evidence of persistent barriers to patient access, HHS released Patient Access Guidance in 2016 that set out limits on what patients could be charged and reiterated process requirements. More recently, HHS is encouraging the use of apps for release of information to streamline the process and improve the flow of information.

The Bayfront case is a wake up call for all compliance and disclosure management professionals and their business associates.  An investigation was initiated by the OCR based on a complaint from a new mother who had requested fetal heart monitor records on her unborn child.  Bayfront first claimed that it did not have the requested records and later provided a partial set of records after repeated requests from the mother and her attorney.  The requested records were provided twenty-two (22) months after the initial request and only after a complaint was filed with OCR.  HIPAA Rules, of course, generally require covered entities to provide medical records within 30 days.

Bayfront agreed to pay a fine of $85,000, modest by comparison to fines paid for breaches, but not modest when one considers that this involves a single patient’s record set.  Bayfront also executed a one-year corrective action agreement that largely focuses on demonstrating that it has updated access policies and procedures, educated its workforce, and has mechanisms in place to monitor performance.  Bayfront is obligated to report instances whereby its employees or those of a business associate fail to comply, along with the results of its review and investigation.   It is also obligated to comply with documentation requirements as spelled out in HIPAA’s accounting for disclosures provisions. 

Enforcement is a powerful lever that only a governing entity can apply.  The fact that HHS is using this lever for patient access should prompt covered entities to evaluate the adequacy of their practices given the very rapid changes in health information disclosure management.  Reasonable disclosure management practices today include the following:

  • Technology enabled – Managing growing volumes of requests can’t be done without end to end disclosure management software that can track and prompt all phases of the request through release processes which include compliance prompts.
  • Optimized process – Migrating from siloed and fragmented release practices to standardized and even centralized practices across the health system—that are knit together by use of compliance-based technology.
  • Patient-centered – Proactive patient facing practices that enable patients to control the request and release processes through use of apps with rigorous authentication.
  • Knowledge work –Release of information personnel who understand guiding regulations and principles and are trained to do the jobs they do.
  • Accountability – Tracking, red flagging and trending the status of all requests and maintaining auditable accounting of disclosure records. 

We empathize with Bayfront’s unfortunate experience and that of the mother who experienced anguish and frustration through inexplicable delays.  This should not happen, but I bet many are whispering “there but for the grace….”  This is a learning moment.  Business as usual in release of information is no longer in our patients’ or our employers’ best interests.  Many health care organizations are rapidly moving to a new level of practice – and not a moment too soon.