Keeping Up With Clinical Risk Management:
Are you prepared for potential changes to the Privacy Rule?

A Quarterly Publication by Danielle Donovan
Winter 2021

Under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy of Individually Identifiable Health Information (Privacy Rule), covered entities (payers, insurers, hospitals, physicians, and other healthcare providers) must act on an individual’s request for access to their health records within 30 days. However, in December of 2020, the United States Department of Health and Human Services (HHS) issued a notice of proposed changes to modify multiple standards within the Privacy Rule, including shortening covered entities’ required response time to fulfilling a patient’s request for copies of their Protected Health Information (PHI) to no later than 15 calendar days.

Although this proposal aims to increase permissible disclosures of PHI and improve patients’ care coordination and case management, these changes may drastically change healthcare entities’ current health information management procedures and workflow. Those that do not adapt quickly (entities will have 180 days to make necessary modifications) to comply with the potential Privacy Rule changes could be at increased risk of HIPAA fines and settlements.

Reasons for the change

In April 2019, HIPAA launched an initiative to enforce the Privacy Rule, focusing on patients’ rights to timely access to their medical records. The initiative resulted in over 13 fines and HIPAA settlements to various healthcare organizations, with penalties ranging from $3,000 to the most recent settlement of $200,000 against Arizona-based Banner Health. Banner was cited after finding two patients’ record requests that took over four months to complete. Federal regulators documented that the healthcare facility fulfilled the patients’ requests for protected health information; however, the time it took to provide the data was greater than that permitted by the Privacy Rule.

The Office of Civil Rights (OCR) also conducted an audit of covered entities and business associates for compliance with HIPAA privacy and security rules and compiled their findings into a December 2020 report. Results of the audit found that 89% of covered entities failed to ensure individual right of access. Some covered entities did not maintain adequate records of how and when they responded to a request, appearing to breach the 30-day response requirement and failing to provide the patient with a written notice informing them of their rights to request a review of any denial decision.

Preparing to comply

To stay compliant with the Privacy Rule changes that may be forthcoming, healthcare organizations may want to consider preparing by evaluating the following practices:

  • Authorization to Disclose – Review current written policies and procedures surrounding the release of information to a patient or designated third party, focusing on changes to required timelines for response and appeal processes.
  • Authorization for Release – Review access request templates/extension forms, ensuring they provide the patient with a choice of format for receiving their PHI and notice of your duty as a covered entity to fulfill that request.
  • Fee Structure – Ensure your organization’s fee structure for providing access to records in different forms/formats and within the new timeframe is reasonable and cost-based (including labor, postage, supplies, etc.).
  • Notice of Privacy Practices – Create a modified draft of the organization’s notice of privacy practices that includes new required language, timeframes, and organizational contact that is ready to be prominently posted on your organization’s homepage when necessary.
  • Training – Develop a staff training plan on changes to organizational policies and procedures surrounding the Privacy Rules.

Patient access to health records is expected to continue to be a top enforcement priority of the HHS under the Biden administration. With the 60-day window of comments on the proposed regulation coming to a close, final regulatory changes will likely be announced soon. See the original Notice of Proposed Rulemaking for more information. If you have more questions on how to prepare your healthcare organization for these potential changes, contact Parker, Smith & Feek.

Danielle Donovan is Parker, Smith & Feek’s Clinical Risk Manager, dedicated to helping improve our healthcare clients’ operations and mitigate risks. She publishes regular articles to support this effort and provide unbiased advice on issues facing all types of healthcare organizations. Stay tuned for her next installment, and contact Parker, Smith & Feek’s Healthcare Practice Group if you would like to learn more.


Resources and References

  1. 2016-2017 HIPAA AUDITS INDUSTRY REPORT Department of Health and Human Services Office for Civil Rights Health Information Privacy Division December 2020 Report on 2016-2017 HIPAA Audits. , 1 Dec. 2020.
    www.hhs.gov/about/news/2020/12/17/ocr-issues-audit-report-health-care-industry-compliance-hipaa-rules.html
  2. Improving the Health Records Request Process for Patients Insights from User Experience Research.
    www.healthit.gov/sites/default/files/onc_records-request-research-report_2017-06-01.pdf
  3. Kolbasuk McGee, Marianne. “Biggest Fine yet for Patient Records Access Violation.”, 21 Jan. 2021, www.govinfosecurity.com/biggest-fine-yet-for-patient-records-access-violation-a-15749.

Return to Articles index

The views and opinions expressed within are those of the author(s) and do not necessarily reflect the official policy or position of Parker, Smith & Feek. While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it.