With all of the attention on Health Insurance Portability and Accountability Act (HIPAA) requirements to safeguard the privacy and security of a patient’s health information, covered entities sometimes overlook the HIPAA provisions that give patients rights to their information. This includes a patient’s right to access his or her medical and billing records from providers and records in areas spanning billing, enrollment, payment, claims adjudication, medical management, and care decisions from health plans.

Earlier this week, the Office of Civil Rights of the Department of Health and Human Services (OCR) announced its first settlement agreement under an initiative to enforce patients’ rights to access their medical records. HIPAA typically requires covered entities to provide patients access to their records within 30 days of a request. In this case, OCR found that the provider furnished incomplete records to the patient’s counsel about five months after the patient’s initial request (with interim correspondence from counsel) and complete records to the patient’s counsel about 10 months after the initial request.

The new settlement agreement requires the provider to pay $85,000 and adhere to a corrective action plan that includes developing appropriate policies and procedures for individual access to information, distributing the policies and procedures to appropriate members of its workforce, and training workforce members on the policies and procedures to ensure compliance. The provider must also address this matter appropriately with business associates and provide OCR with a list of its business associates along with copies of all business associate agreements. Failure to provide patients timely access to information within the next year must be reported to the Department of Health and Human Services within 30 days.

Health care providers, health plans, and health care clearinghouses should have policies and procedures in place that allow them to provide a patient with prompt access to his or her health information at a reasonable charge (if any). Some state laws also regulate how much a provider can charge for copies of medical records. Business associate agreements should address vendor responsibilities on providing patients’ access to their information.