Everyone thinks of HIPAA as a security lock-down law, and indeed it is: a major part of HIPAA regulations is about the data holder’s responsibility to be careful with it. There have been huge penalties for allowing data leaks.
Fewer people realize that HIPAA regulations have also always included a “right of access” - here’s that page on the HHS website. It means that patients are allowed to request copies of their records, and providers must comply. This has always been true, but there’s an important change: in 2019, the government settled its first two major cases (with big fines) where a patient asked for their data and the provider dragged its feet.
The right of access has never been enforced. But that has changed.
How would you like an $85,000 fine? Plus a year-long corrective plan?
That’s what Korunda Medical (in Florida) agreed to in December. It’s also what Bayfront Medical settled for in September. For deeper information about both settlements, see this blog post by Deven McGraw, who many believe is the world’s leading HIPAA authority. Her company Ciitizen’s scorecard project showed that half of providers were in violation.
Each $85,000 fine was for a single violation - a single (but persistent) failure to honor one patient’s legal request.
If they ask for it by email, you must deliver it by email
Another commonly misunderstood issue is whether a patient can request that their information be delivered by email. Commonly, providers (even their HIPAA compliance people) refuse to do this, because ordinary email is unsecured and hackable. But if the patient requests it by email, the provider must comply.
This is so widely misunderstood that it’s now on a Frequently Asked Questions page. Here’s a screen capture Dec 17 from HIPAA FAQ #570, on the Office for Civil Rights website:
And from FAQ #2060:
Amazingly, though, in a fast-and-furious Twitter discussion December about HIPAA and email, numerous patients said their doctor’s office would say, “I’m sorry, but our policy is that we don’t do that.”
Seriously? Do you understand the concept of a law?
You’re not allowed to say “Regardless of the law, we don’t do that.”
Unfortunately, if the law says you have to do it, you’re not allowed to have a “policy” that says “not me.” That’s like saying “My policy is that I do get to steal your car.”
The community created a Google Doc containing those screen captures and a slew of additional information: bit.ly/HIPAAemail with links to the above and numerous other details.
Be informed. Stay out of trouble. Save money.
You can imagine that in both of those cases that ended with $85,000 fines, the provider incurred far greater costs in the months of dealing with investigators, not to mention the impact on their reputation in the local community of all the resulting news coverage.
Avoiding this is straightforward - not necessarily trivial, but not complicated: know the law. Study HIPAA’s “right of access,” look at the links in that google doc, and do the right thing. It’s a lot easier than coping with the consequences of getting caught. And it’s the right thing to do for the patients.
Want to know more about HIPAA and other regulations in relation to patient communication? Read our free guide, "Become a Text and Email Compliance Guru."