Right of Access – Time limit on Medical Records Requests

Right of Access to Medical Records time limit

When a patient or a patient’s representative requests a copy of medical records it is very important to act promptly. Currently you have 30 days to comply with this right of access request, and one 30-day extension (if you advise the patient/representative that you will need more time and you give them a date when they will be available). We expect this time frame to be reduced to 15 days, with one 15-day extension this year. The reason I can’t stress the importance of this enough is due to the fines that have been assessed for non-compliance. As of today, there have been 43 cases resolved under the OCR’s HIPAA Right of Access Initiative. Only a few fines were under $10K, most of the fines were upwards of $25K to $200K.

Another area that we must stress the importance of is disgruntled employees, patient complaints, and data breaches. Should your practice be investigated by the OCR because of ONE incident, they will investigate ALL areas of HIPAA compliance. It is important to stay on top of ALL areas. Don’t forget to review your website too!

One special note: If you use a Contact Us form on your website, you must use encryption on your website (https), to ensure the data transmitted is secure. Then you must review where these messages are delivered to and to which devices. Many website developers do not under the HIPAA rules and offer website features that may cause liability if not properly protected. Again, this also includes the devices utilized to receive the information and how this information is stored. If you do not receive very many of these messages, we recommend removing the liability.

In case you have not seen some examples of the fines, check out our Education Tab:

If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

HIPAA Proposed Changes for 2023

January 3, 2023

2023 HIPAA Audits and Penalties may Increase

March 1, 2023
©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC