Study: Most healthcare providers violate HIPAA right of access rule

More than half of healthcare providers are failing to comply with the HIPAA Privacy Rule’s right of access, according to a recent study by Ciitizen, a platform that helps patients collect, organize, and share their medical records digitally.

For the study, researchers used both a scoring system and a telephone survey to evaluate compliance with right of access. Of the 51 healthcare providers scored, 51% were either noncompliant (27%) or would’ve been noncompliant (24%) if it weren’t for multiple “escalation” calls to supervisors or privacy officers, the study found. Another 20% were compliant after one escalation call. Only 30% were compliant without intervention.

The results of the telephone survey were similar. Of the 3,003 healthcare providers assessed, 56% were likely noncompliant with the HIPAA right of access based on their responses, with nearly half of the offending institutions likely noncompliant in two or more categories.

By far, the biggest reason for HIPAA noncompliance was that healthcare providers failed to send records electronically to patients who requested them in that format. “Providers and their copy services continue to send paper records, faxes, and CDs — even when the patient explicitly requests records be sent electronically to a designee over email or uploaded to a portal,” the study’s authors wrote. “Healthcare providers are also hesitant to send records by standard (unsecure) email, even pursuant to specific patient requests that include acknowledgement and acceptance of security risks.”

The study also found that excessive fees were a barrier to the right of access, especially in the telephone survey, in which 24% of providers were likely noncompliant based on their responses. According to HHS guidance, a covered entity may charge a “reasonable, cost-based fee” to cover the cost of “certain labor, supplies, and postage.” The researchers in this study defined noncompliant fees as charging per page, charging for records retrieval, or charging a flat fee of more than $6.50.

The study shows that the HIPAA Privacy Rule’s right of access remains a major compliance issue despite recent efforts by the federal government to educate healthcare providers. According to HHS, access to records is one of the most common HIPAA-related complaints.