Providing patients with timely access to their medical records is part of HIPAA guidelines. Therefore, not providing access would be a violation of the HIPAA Privacy Rule.
Although there are certain exceptions, 45 C.F.R. section 164.524 generally requires that a covered entity provide a patient with a copy of his/her medical records within 30 days, and no later than 60 days, of the patient’s request.
In 2011, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed a $4.3 million civil monetary penalty against Cignet Health (Cignet), a covered entity, for violating the HIPAA Privacy Rule. The $4.3 million civil monetary penalty was triggered by Cignet’s failure to provide access to the medical records of 41 patients, as well as its failure to adequately cooperate with OCR’s investigation.
Covered entities should examine their current HIPAA policies and practices — including their compliance program provisions for responding to requests for access to medical records. It’s important to verify that the entity’s operations are up-to-date with the recent legal changes.
While the penalties in 2011 were pretty big, HIPAA was sending a clear message: HHS OCR is serious about enforcing HIPAA violations.
Yes! You can be financially penalized if you are unable to provide medical records to present or past patients.