HIPAA Right of Access and Information Blocking


For decades the idea of patients being in control of their health information was given little more than tacit support by our government as the healthcare industryPatients rights to access their health records at large didn’t consider it to be beneficial or worth the time and money to implement, and the technology vendors themselves had their own motives. Things certainly have changed, and if it was not for federal action, they would not have. For the past few years, the position of Health and Human Services (HHS) has been crystal clear – patients have a right to access their healthcare records in a timely fashion and in the manner in which they desire, and if you hinder that access, you will be held accountable. To date, there has been 18 Right of Access violations assessed by the Office for Civil Rights (the HIPAA police under HHS). It has been the most active area of enforcement since COVID began, and while other areas of HIPAA have been relaxed to address the public needs and organization changes like work from home, there’s been a considerable uptick in Right of Access enforcement. And it just got more interesting.

As of April 5th, 2021, HIPAA has a new final rule we will refer to as the Information Blocking rule. This final rule was scheduled to start in November of last year but was delayed due to COVID. In short, there’s now a new construct in place that goes into greater detail on what constitutes a right of access violation and what the penalty enforcement process may be. The good news for healthcare providers is if you’re limited in your ability to comply with a patient’s records request due to the technology you use, that vendor could be on the hook for significant penalties. But we wouldn’t suggest hanging your hat on that as an excuse to circumvent this law. You’ll still find yourself under scrutiny that will require time and likely money to get out of. That said, there are a handful of exceptions that may warrant you not complying with this new law. The full law and the exceptions can be viewed here: Electronic Code of Federal Regulations (eCFR).

Finally, the new law introduces a new penalty process for providers and Covered Entities, and this is where things may get murky. The Act requires the Office of Inspector General (OIG) to refer Covered Entities to an “appropriate agency” for the Orwellian phrase, and as yet to be determined “appropriate disincentives”.

If this law impacts you, we urge you to be certain your records management and release process is robust, redundant, reliable, repeatable, and trackable. If this is not the case, then call us or get help to make it that way. While we may not know what “appropriate disincentives” to be doled out by some “appropriate agency” may mean, we DO KNOW that OCR is actively and aggressively enforcing Right of Access rules and now they have a new bag of tricks. Don’t let yourself get caught in this rat’s nest.

While you tend to the many tasks before you, be sure to be keeping yourself and your staff alert for the many miscreants scheming to steal from you. Think before you click or enter sensitive data into a website.

Enjoy Spring!

Thank you for reading.


If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.

For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.