Fader Cited in Report on Patient Privacy

Eric Fader was cited in the HCCA’s Report on Patient Privacy publication. The article, “In Wake of 16th OCR Settlement, Time For CEs, BAs to Take Right of Access Seriously,” discusses that as the HHS Office for Civil Rights continues its crackdown on providers that fail to comply with the HIPAA right of access, it is past time for covered entities and business associates to upgrade their access policies and procedures, and to take the right of access very seriously.

Fader said that the message OCR is trying to send to providers with the right of access settlements is that “ignorance of your responsibilities under HIPAA is no excuse. Don’t tell us you’re too busy. You must train your workforce to respond timely to patients’ requests. Don’t pretend you didn’t know you had to do this, because we, the American Medical Association and other organizations, and mainstream news sources have all been talking about this for at least the past couple of years. And above all else, if we investigate you and you tell us you’ll do something, you’d better do it.” Fader told RPP that “any provider that hasn’t reviewed its internal policies on providing access to patient records and made sure that their workforce knows how to speak to patients and process these requests really has no good excuse for
noncompliance.”

Health care organizations have neglected the right of access, which led OCR to focus on it, Fader said. “The audits of HIPAA-covered entities and business associates that OCR has been doing for many years didn’t start out focusing on this problem,” he said. “However, it gradually became apparent, and in the past few years it has been recognized that the country’s health care costs can only be reduced through better coordination of care. It’s impossible to coordinate care among unrelated providers effectively if they don’t have timely access to patients’ records, including those records generated by other providers.”

Some common themes have emerged in the OCR’s 16 settlements so far. OCR is trying to make a point with the settlements, Fader said. He agreed they follow similar patterns. “It’s usually the same basic facts,” he explained. “Patient requests records. Patient is ignored entirely or receives only a few of the records (perhaps copies of test results that need to be burned onto a CD are what is omitted). Patient complains to OCR. OCR contacts provider and reminds them of their obligation. Provider says they’ll provide the records. OCR closes the case without penalty. Provider still doesn’t provide the records. Patient complains again. OCR reopens the case, investigates, and fines the provider. OCR announces the settlement publicly, trying to maintain a steady drumbeat of settlements to gradually educate the public.”

The COVID-19 pandemic has played a role, Fader said. “Many of the settlements—including one that a former client of my firm had to pay last year under the Right of Access Initiative—seem to have arisen out of violations that were caused, in part, by COVID-19. Many providers reduced office hours last year or had to furlough some administrative employees, and they simply didn’t have sufficient administrative support to respond to patient requests. My guess is that if a practice has one ‘front desk’ person and one administrative/billing person, and the latter is working from home some or all of the time where he/she may be less efficient, there will be a temptation to prioritize bills and follow-ups with insurance companies, and pay less attention to patients’ own requests for their records.”

Providers should expect more enforcement on the right of access from OCR going forward.