Access to Patient Medical Records During COVID-19

Laura Gerdes Long

By Laura Gerdes Long

Issues relating to a patient’s right of access to medical records have never been more important than now, in the midst of the COVID-19 pandemic.  Healthcare providers, big and small (from a large New York City non-profit providing health care and other services to the homeless population to small psychiatric services providers in Virginia and Colorado), are facing monetary penalties and having to comply with Corrective Action Plans (CAP) imposed by the Office for Civil Rights (OCR) with strict requirements and short deadlines.

One of these psychiatry services providers must distribute new policies and procedures concerning patient requests for records to all members of its workforce and relevant business associates within 30 days and to new employees upon hiring. Recipients are required to execute certification of having read, understood, and promised to abide by these policies and procedures. Training and individual certifications must be completed within 60 days. Going forward, the practice must implement annual training. Any reportable events must be fully investigated and described in a report as part of the full-scale written “Implementation Report.” The practice must submit the report to the U.S. Department of Health and Human Services (HHS) within 120 days. The CAP concludes with a “Final Report,” again containing specific terms and obligations of the psychiatry practice.

OCR warns in its press release that these enforcement actions are intended to send a message to the health care industry about the importance of complying with the HIPAA Privacy Rule. These enforcement actions further remind all HIPAA-covered entities of the importance of providing timely access to patient medical records at a reasonable cost.

Many health care providers may have been under the misimpression that under the April 2, 2020 OCR’s  Notification of Enforcement Discretion business associates and health care providers could relax their adherence to the requirements of the HIPAA Privacy Rule and many or all of the rule’s regulations. These relaxed measures, however, only pertain to the need for state and local health departments to obtain quick access to COVID-19 related health data to fight the pandemic.  Business associates who share HIPAA- protected information in “good faith” during the pandemic must inform the covered entity within 10 days of the disclosure.  The notification states that it will “remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, whichever occurs first.”

If you have any questions or concerns, please contact one of our health care attorneys.

For additional COVID-19 related information, go to our Coronavirus/COVID-19 Resource Center.

Posted by Attorney Laura Gerdes Long. Long practices in tort, insurance, health care, legal malpractice,  and employment law. Well-versed in employment law policies and processes related to HIPAA, she serves as a trainer and advisor to health care providers, insurers, and self-insured employers.


Comments are closed.