Healthcare Treats Patients, HIPAA Protects Them: Recent Changes to the HIPAA Laws and How These Changes Affect the Healthcare Community

By: Brian Field


With the ever-changing climate of technology, the Health Insurance Portability and Accountability Act (HIPAA) continues to make patient-centered modifications intended to protect personal health records. Key components to the most recent updates to HIPAA include prohibition of records withholding.

The inspiration for the recent changes come from the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS).  A goal of both entities is to protect the health of all Americans and ensure essential human services. The OCR continues to reinforce a focus on patients regarding health and health records by aiming to eliminate technical barriers and reducing or eliminating cost to patients.

Following HIPAA law changes can be daunting, but if there is one thing to keep in mind, it is that HIPAA prioritizes patients. The information below is a snapshot of what you should know as you navigate health records storage for your patients before, during, and after their care with you has ended:

Information blocking.

What is information blocking?

Information blocking is the act of inhibiting, preventing, or blocking the exchange of electronic health information (EHI) to patients. This act may pertain to all healthcare providers including physicians, clinics, hospitals, and third-party companies.

HIPAA law changes you should know:

Information blocking is prohibited under HIPAA, specifically for electronic health records companies. It is imperative to find an electronic health records (EHR) system that does not put on arbitrary holds or restrictions on records. Liability for minimum storage time on those records, especially after a practice closes, can be litigated against all relevant healthcare providers and parties.

Legal rulings:

The HHS Office of Inspector General (OIG) has proposed a rule regarding civil money penalties for information blocking that could result in a maximum fine up to $1 million per violation. While these regulations treat health information technology (IT) companies differently than providers, regulations will continue to emerge as patients’ ability to access healthcare information widens.

Other points:

Prevention of information blocking occur in other federal programs including Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP).


HHS Office of Inspector General

Right of access.

What is HIPAA right of access?

HIPAA right of access pertains to personal health information (PHI) and includes two parts: (1) the right to inspect or obtain copies (or both) of that PHI and subsequently (2) directing the Covered Entity (i.e. Physicians, Clinics, Hospitals, or their Business Associates) to transmit a copy to the patient’s designee.

HIPAA law changes you should know:

Under HIPAA, the maximum allowable timeline for patients to receive PHI is proposed to reduce from 30 days to 15 days. Charging patients in excess of the legal limits has also been viewed as an obstacle to patients, increasing the amount of time as well as barriers to receiving their PHI.

Legal rulings:

Up to 16 settlements were reached through February 2021 that averaged $65,000, with a range from $3,500 to $200,000. Covered entities that have been affected include solo physicians, practices, non-profits, and various hospitals. Not only do the Covered Entities pay these fines but they also receive disciplinary corrective action planning with additional monitoring by the OCR – all beginning with a patient complaint to the OCR filed against the Covered Entity.

Other points:

For those in the continuity planning stages for closing a practice, consider a verified records custodian or records management company with true expertise in HIPAA compliance to maintain and store all your patient health records. Proper Business Associates will masterfully follow HIPAA law changes and interface with your patients, so you know they’re in the best hands after your care.


The National Law Review, March 2021

Charging patients for medical records.

What can a medical provider or third-party charge a patient for their medical records?

HIPAA only allows a maximum charge of $6.50 for a patient to access their medical records. Exceptions to this rule can only be material cost-based fees related to accessing the records.

Legal rulings:

Excessively charging patients for their records has landed Covered Entities into settlements ranging from $85,000 into the millions of dollars. The rulings target records management companies and healthcare institutions attempting to charge even $15-$20 for copies of records. Some institutions also attempt to charge a fee per page of medical records released – all of which are liable for litigation under HIPAA laws.

Other points:

Some health records custodians will work closely with you to ensure everyone wins, at no cost to patients. Many high-priced fines/settlements levied against both Business Associates (Records Custodians) and the Covered Entities (Providers) they serve, have also yielded prohibition of charging patients at all for copies of records, regardless of a base allowable HIPAA charge.


The HIPAA Journal, September 2020

Physicians Practice Magazine, September 2019


Through our expert partnerships, Hamil Little Healthcare Law is here to help you navigate HIPAA laws and compliance. We take note of state and federal laws pertaining to health records and we’re happy to consult with you should you have any questions or concerns.

If you have any questions please feel free to email Brian Field directly at:

Brian Field is a nationally renowned subject matter expert in the custodial records industry. With more than 20 years of document management experience serving in a variety of disciplines, Brian has specific expertise in the requirements associated with closing healthcare facilities. Ranging from private practices to large hospitals, Brian has walked hundreds of clients through difficult transitions related to retirement, bankruptcy, and/or consolidation. Through his many years of experience, he serves as a vital partner providing invaluable support as clients navigate the nuances associated with EMR vendor relationships, patient notifications, HIPAA requirements, and many other significant details related to proper closure. When not helping clients, Brian enjoys spending time with his wife, Jennifer, and three boys, which usually consists of coaching baseball or cheering on the Yankees.

*Disclaimer: Thoughts shared here do not constitute legal advice.

Contact Information